Himool ERP Improper Authorization Vulnerability in Admin Action View Set
Vulnerability
A vulnerability exists in Himool ERP versions through 2.2, specifically within the AdminActionViewSet component. The issue arises in the update_account function of the /api/admin/update_account/ endpoint, where proper authorization checks are not enforced. This flaw allows unauthenticated users to remotely create or modify company accounts. Exploitation of this vulnerability is straightforward, and a public exploit is available.
Impact
Exploitation of this vulnerability could lead to unauthorized creation or modification of company accounts within the ERP system.
Reproduction
To reproduce this vulnerability, send a POST request to the /api/admin/update_account/ endpoint without authentication. Include a JSON payload specifying the account details, such as the company name, username, expiry date, and active status. The absence of authorization checks will allow the creation or modification of accounts as specified in the payload.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.