Netsweeper Server Privilege Escalation Vulnerability in Account Management Interface

A privilege escalation vulnerability has been identified in the account management interface of Netsweeper Server versions through 8.2.6. The issue arises from client-side-only restrictions and a lack of server-side validation, allowing unauthorized changes to the 'Account Owner' field. This vulnerability enables the reassignment of account ownership to or from any user. While the vulnerability requires initial web application authorization, it subsequently exploits those privileges to make unauthorized changes.

Impact

Exploitation of this vulnerability allows for unauthorized changes to account ownership, potentially leading to misuse of account privileges or access.

Reproduction

To reproduce this vulnerability, log into the Netsweeper Server account management interface with a user account that has the necessary privileges to access the account owner field. Once logged in, use client-side tools to bypass the lack of server-side validation and make unauthorized changes to the 'Account Owner' field, reassigned ownership to or from any user.

Remediation

Users are advised to upgrade to Netsweeper Server version 8.2.7 or later, where this vulnerability has been patched.