Executive Summary

This vulnerability affects Scoold, a Q&A and knowledge sharing platform for teams, in versions prior to 1.67.0. It allows an attacker to modify the admins configuration value by sending a request to the /api/config/set/admins endpoint with a forged Bearer token that is accepted as an admin API token.

When the attacker changes this setting, their chosen email address is written into the application configuration file. Although the change does not take effect immediately because the admin list is loaded only at startup, after the application restarts, the attacker’s account is recognized as an administrator and gains access to the admin panel.

This provides the attacker with a reliable persistence mechanism to regain admin access by writing their email into the admin list and triggering or waiting for a restart.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to gain persistent administrative access to the Scoold platform.

• The attacker can modify critical configurations and access sensitive data through the admin panel.
• They can maintain their admin privileges even after restarts, making it difficult to remove their access.
• This could lead to unauthorized data exposure, data manipulation, or disruption of service.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Scoold to version 1.67.0 or later, where the issue has been patched.

Additionally, if you suspect that the configuration has been tampered with, review and reset the admins configuration value in the application configuration file.

Restart the Scoold application after making these changes to ensure that the updated configuration is loaded and unauthorized admin accounts are removed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to gain persistent administrative access to the Scoold platform by modifying the admin configuration through a forged token. Such unauthorized access can lead to exposure or modification of sensitive data, which may violate data protection requirements under regulations like GDPR and HIPAA.

Specifically, the high impact on confidentiality and integrity indicated by the CVSS score suggests that personal or protected health information could be compromised or altered without authorization, undermining compliance with these standards.

Furthermore, the persistence of the attack after service restarts increases the risk of prolonged unauthorized access, complicating incident response and breach notification obligations under these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized modification of the admin configuration via a forged Bearer token sent to the /api/config/set/admins endpoint.

To detect this vulnerability on your network or system, you can monitor for suspicious HTTP requests targeting the /api/config/set/admins endpoint, especially those containing Bearer tokens that may be forged.

Commands to help detect such activity could include network traffic inspection or web server access log analysis. For example:

• Using grep to search web server logs for requests to the vulnerable endpoint: grep "/api/config/set/admins" /var/log/nginx/access.log
• Using tcpdump or tshark to capture and filter HTTP traffic for suspicious Bearer tokens: sudo tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'Authorization: Bearer'
• Checking the application configuration file for unexpected changes to the scoold.admins setting, which may indicate exploitation.

Note that detection requires monitoring for unauthorized access attempts with high privileges, as the attack requires network access and elevated permissions.

Useful 0 Not Useful 0