Can you explain this vulnerability to me?

This vulnerability exists in the OpenPLC_V3 REST API where the endpoint checks if a JSON Web Token (JWT) is present but does not verify the caller's role properly.

As a result, any authenticated user with the role 'user' can delete other users, including administrators, by specifying their user ID.

Additionally, such a user can create new accounts with the role 'admin', effectively escalating their privileges to full administrator access.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized deletion of user accounts, even those with administrative privileges.

It also allows privilege escalation by enabling a normal user to create new administrator accounts.

Such actions can lead to loss of control over the system, unauthorized access, potential data breaches, and disruption of normal operations.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows any authenticated user with a basic user role to delete other users, including administrators, or to create new administrator accounts, effectively escalating their privileges to full administrator access.

Such unauthorized privilege escalation and user account manipulation can lead to unauthorized access to sensitive data and critical system functions.

This situation can compromise compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, user authentication, and protection of sensitive data.

Failure to properly verify user roles and prevent unauthorized administrative actions may result in violations of these regulations, potentially leading to data breaches and legal consequences.

Useful 0 Not Useful 0