Executive Summary

This vulnerability exists in Movary, a self-hosted web app for tracking and rating movies. Before version 0.71.1, an authenticated user could escalate their privileges to administrator by sending the parameter `isAdmin=true` to the endpoint `PUT /settings/users/{userId}` for their own user ID.

The endpoint is intended to allow users to edit their own profile, but it incorrectly updates the sensitive `isAdmin` field without verifying if the user has admin rights. This lack of an admin-only authorization check allows ordinary users to grant themselves administrator privileges.

This issue was fixed in version 0.71.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an ordinary authenticated user to escalate their privileges to administrator.

• An attacker could gain full administrative control over the Movary application.
• With admin privileges, the attacker can modify other users' data, change application settings, and potentially access sensitive information.
• This could lead to data breaches, unauthorized data manipulation, and disruption of service.
• The vulnerability has a high CVSS score of 8.8, indicating a high severity with impacts on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP PUT requests to the endpoint /settings/users/{userId} where an authenticated user attempts to set the parameter isAdmin=true for their own user ID.

A possible way to detect exploitation attempts is to analyze web server logs or use network monitoring tools to look for PUT requests containing the isAdmin=true parameter.

For example, using command line tools, you could search your web server access logs for such requests with a command like:

• grep 'PUT /settings/users/' /path/to/access.log | grep 'isAdmin=true'

Alternatively, if you have access to the database or application logs, you could query for changes to the isAdmin field made by non-administrator users.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Movary to version 0.71.1 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the PUT /settings/users/{userId} endpoint or implement additional authorization checks to prevent ordinary users from modifying the isAdmin field.

Additionally, monitor for suspicious activity such as unauthorized privilege escalations and review user accounts for unexpected administrator privileges.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an ordinary authenticated user to escalate their privileges to administrator by modifying the isAdmin field without proper authorization checks.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions, potentially violating data protection and privacy requirements under standards like GDPR and HIPAA.

Specifically, unauthorized administrative access could result in exposure, modification, or deletion of personal or protected health information, thereby compromising confidentiality, integrity, and availability.

Therefore, this vulnerability negatively impacts compliance with common standards and regulations that mandate strict access controls and protection of sensitive data.

Useful 0 Not Useful 0