Sage DPW Incorrect Access Control Vulnerability Allowing Unauthorized Course Creation

A vulnerability in Sage DPW versions prior to 2024_12_001 allows for incorrect access control, where role-based access restrictions are not consistently enforced on the server side. Low-privileged users with employee role privileges can create external courses for other employees by modifying a course creation request to replace the user ID with that of another employee. This exploitation bypasses the user interface limitations that prevent such actions.

Impact

Exploitation of this vulnerability allows unauthorized users to create courses for other employees, disrupting course assignment management.

Reproduction

To reproduce this vulnerability, a user with the MA role can intercept a course creation request using an HTTP proxy. The user's own ID in the 'id' parameter is then replaced with the ID of another user who also has the MA role. After forwarding the modified request, the course creation process can be completed through the user interface. The newly created course will appear in the external user's personal overview.

Remediation

Users can update to Sage DPW version 2024_12_001 to address this vulnerability.