UliCMS Privilege Escalation Vulnerability Allowing Unauthenticated Admin Account Creation

A privilege escalation vulnerability exists in UliCMS version 2023.1. This vulnerability allows unauthenticated attackers to create administrative accounts via the UserController endpoint. By sending a crafted POST request to /dist/admin/index.php with specific parameters, attackers can generate a new admin user with full system access.

Impact

Exploitation of this vulnerability allows for unauthorized creation of admin accounts, granting full system access to the newly created users.

Reproduction

To reproduce this vulnerability, send a POST request to /dist/admin/index.php with the following parameters: sClass set to UserController, sMethod set to create, add_admin set to add_admin, along with a chosen username, firstname, lastname, email, password, and group_id set to 1. Ensure that admin is set to 1 to create an administrative account.