Headline
CVE-2022-4068: Fix authentication mass assignment vulnerability (#14468) · librenms/librenms@09a2977
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary JavaScript in the context of an admin’s account.
@@ -37,11 +37,24 @@ public function authorize()
*/
public function rules()
{
if ($this->user()->isAdmin()) {
return [
‘realname’ => 'nullable|max:64|alpha_space’,
‘email’ => 'nullable|email|max:64’,
‘descr’ => 'nullable|max:30|alpha_space’,
‘new_password’ => ‘nullable|confirmed|min:’ . Config::get('password.min_length’, 8),
‘new_password_confirmation’ => 'nullable|same:new_password’,
‘dashboard’ => 'int’,
‘level’ => 'int’,
‘enabled’ => 'nullable’,
‘can_modify_passwd’ => 'nullable’,
];
}
return [
‘realname’ => 'nullable|max:64|alpha_space’,
‘email’ => 'nullable|email|max:64’,
‘descr’ => 'nullable|max:30|alpha_space’,
‘level’ => 'int’,
‘old_password’ => 'nullable|string’,
‘new_password’ => ‘nullable|confirmed|min:’ . Config::get('password.min_length’, 8),
‘new_password_confirmation’ => 'nullable|same:new_password’,