Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is an Insecure Direct Object Reference (IDOR) in the StudioCMS password reset functionality prior to version 0.4.3.'}, {'type': 'paragraph', 'content': 'Specifically, any authenticated user with admin privileges can generate a password reset token for any other user, including the highest-privileged owner account, by using the POST /studiocms_api/dashboard/create-reset-link endpoint.'}, {'type': 'paragraph', 'content': "The system only checks if the caller is an admin but does not enforce role hierarchy or verify that the target user ID matches the caller's identity."}, {'type': 'paragraph', 'content': 'An attacker can then use the generated reset token with the POST /studiocms_api/dashboard/reset-password endpoint to change the password of the targeted account, effectively taking over that account.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any admin user to completely take over the owner account, which is the highest-privileged account in the StudioCMS system.

• Complete account takeover of the owner account.
• Full control over content management, user management, and system configuration.
• Potential unauthorized changes to critical system settings and data.

The severity is rated moderate with a CVSS v3.1 base score of 6.8, indicating a significant risk especially since the attack complexity is low and no user interaction is required.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the vulnerable endpoint POST /studiocms_api/dashboard/create-reset-link, especially those where an authenticated admin user generates password reset tokens for user IDs other than their own.'}, {'type': 'paragraph', 'content': "To detect potential exploitation, you can look for HTTP POST requests to the create-reset-link endpoint with JSON payloads specifying userId values that do not match the caller's identity."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': 'Using network traffic analysis tools (e.g., tcpdump, Wireshark) to filter POST requests to /studiocms_api/dashboard/create-reset-link.'}, {'type': 'list_item', 'content': "Using grep or similar tools on server logs to find POST requests with JSON payloads containing userId fields different from the authenticated admin's ID."}, {'type': 'list_item', 'content': 'Example grep command on access logs: grep \'POST /studiocms_api/dashboard/create-reset-link\' access.log | grep -v \'userId":"<admin_user_id>"\''}, {'type': 'paragraph', 'content': 'Additionally, monitoring for usage of the reset-password endpoint immediately following such requests may indicate exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade StudioCMS to version 0.4.3 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be applied, restrict admin user access to trusted personnel only, as any admin can exploit this vulnerability to take over the owner account.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit usage of the password reset endpoints to detect and respond to suspicious activity.'}, {'type': 'paragraph', 'content': "If possible, implement additional access controls or custom patches to enforce role hierarchy and validate that password reset tokens can only be generated for the caller's own account."}] [1]

Useful 0 Not Useful 0