fit2cloud Halo Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in fit2cloud Halo version 2.21.10. This issue arises from an incorrect configuration of Cross-Origin Resource Sharing (CORS), which allows any source to include credentials and applies to API endpoints exempt from CSRF protection. As a result, an attacker could exploit this vulnerability to perform stateful write operations, such as uploading attachments or modifying user permissions, by impersonating an administrator.

Impact

Exploitation of this vulnerability allows for cross-site request forgery attacks, where an attacker can perform actions on behalf of an administrator, such as uploading files or changing user roles, potentially leading to unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, a low-privilege user can send a request to an API endpoint that is exempt from CSRF protection, while including the administrator's cookies. This can be done by creating a proof-of-concept script that automates the process of uploading a file to an affected endpoint and then modifying the permissions of a user.