Headwind MDM Unauthorized Information Disclosure Vulnerability

A vulnerability in Headwind MDM versions prior to 5.33.1 allows unauthorized users to access sensitive configuration details. Specifically, the 'Observer' user role can view configuration profiles that include passwords needed to exit MDM control on devices. This oversight stems from a permissions error, as such details should not be accessible to Observer users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive configuration information, including passwords that allow users to bypass MDM controls on their devices.

Reproduction

The vulnerability can be reproduced by logging into a Headwind MDM instance as a user with the 'Observer' role. Once logged in, access the configuration profiles, which will reveal passwords intended for device management.

Remediation

Users can update to Headwind MDM version 5.33.1 or later, where this vulnerability has been addressed.