JhumanJ OpnForm Improper Access Control Vulnerability in Integrations Endpoint

An authorization vulnerability has been identified in JhumanJ OpnForm versions through 1.9.3. The issue arises in the '/show/integrations' endpoint, where the application fails to properly restrict access. This flaw allows low-privileged users with read-only permissions to view integration details, including valid webhook URLs, which should only be accessible to users with higher privileges. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows unauthorized users to access restricted integration data, potentially leading to unauthorized actions or data exposure.

Reproduction

To reproduce this vulnerability, log in as a low-privileged user with read-only access. Navigate to the '/show/integrations' endpoint of a form. The absence of proper authorization checks will permit access to the integrations data, including webhook URLs, which should be restricted to users with admin or user privileges.

Remediation

Users are advised to update to JhumanJ OpnForm version 1.9.4 or later, where this vulnerability has been patched.