Headline
CVE-2023-32316: Users can add themselves to any organization in CloudExplorer Lite
CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability.
Impact
Users can add themselves to any organization in CloudExplorer Lite
The reproduction steps are as follows:
- User 1 belongs to organization team1 and does not belong to team2.
- User 1 modifies their own profile.
- On the interface, user 1 can only see team1 when modifying their organization.
- However, we intercepted the request using burpsuite and replaced the ID of team1 in the request with team2.
- Continue execution and find that it can be executed successfully.
- The reason is that although we ensure that team2 is not visible on the interface, the server did not check whether user1 can choose team2.
Reproduction video:
https://1drv.ms/v/s ! Avwg5C1eKVA4girUgKWl9SQX543P? e=N1ZU47
Affected versions: <= 1.0.2.
Patches
The vulnerability has been fixed in v1.1.0.
Workarounds
It is recommended to upgrade the version to v1.1.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at [email protected]