Lost and Found Information System v1.0 — Broken Access Control — CVE-2023–3018 (Authenticated)

Observation and Introduction:

The application Lost and Found Information System v1.0 is vulnerable to Broken Access Control which leads to edit Administrator username and password. VULDB assigned a CVE-2023–3018. Due to improper session validation a malicious staff user can navigate (Force Browse) to an Admin functionality and can change the username and password of any user which may result in an account takeover including admin user.

Steps to re-produce:

1. Go to site/admin/?page=user/list using staff user

POC 1

2. Now see below POC and notice that as a staff user I am able to access admin functionalities.

POC 2

3. Now as a staff I am able to edit admin user’s password

POC 3

Impact:

We are able to change the admin’s username and password.

Recommendation:

Validate user session properly and implement authorization check in each request using JWT token.

The vulnerability has been assigned: CVE-2023–3018