JhumanJ OpnForm Missing Authorization Vulnerability in API Endpoint Custom Domains

A vulnerability allowing broken function-level authorization has been identified in JhumanJ OpnForm versions through 1.9.3. This issue resides in the API Endpoint '/custom-domains', where the absence of proper authorization checks enables low-privileged users to modify custom domain settings. Such changes are typically restricted and not visible to users with read-only permissions. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows low-privileged users to unauthorizedly modify custom domain settings, a function typically reserved for users with higher privileges. This manipulation can lead to unauthorized changes in the application's domain configuration, potentially causing disruption or misrepresentation of the application's identity.

Reproduction

To reproduce this vulnerability, a low-privileged user with read-only restrictions can access the '/custom-domains' API endpoint. Despite their limited permissions, they can send a request to modify the custom domain settings. This action will be processed without any authorization checks, allowing the user to make changes that should be restricted.

Remediation

Users are advised to update to JhumanJ OpnForm version 1.9.4 or later, where this vulnerability has been patched.