itranswarp Access Control Vulnerability in GlobalFilter DoFilter Function Allowing Authentication Bypass
Vulnerability
An access control vulnerability has been identified in itranswarp versions through 2.19. The issue resides in the doFilter function, where improper validation allows attackers to access sensitive components without authentication. The vulnerability arises because the authorization check only verifies if the request URI starts with '/manage/', enabling bypass by manipulating the URI.
Impact
Exploitation of this vulnerability allows unauthorized access to the '/manage' component, potentially leading to unauthorized actions or visibility of sensitive information managed within that component.
Reproduction
To reproduce this vulnerability, access the '/manage/setting/website' URI directly, which will redirect to the authentication page. However, if the '/manage;/setting/website' URI is accessed, the request will be processed without authentication, bypassing the access control.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.