Danphe Health Hospital Management System EMR Password Reset Vulnerability in Security Settings Controller

A Broken Object Level Authorization vulnerability has been identified in Danphe Health Hospital Management System EMR version 3.2. This issue allows any authenticated user to reset the password of any account, including administrative accounts. The vulnerability arises because the password reset endpoint does not properly verify user roles or permissions, enabling unauthorized password resets and potential account takeovers.

Impact

Exploitation of this vulnerability could lead to unauthorized password resets and account takeovers, including access to administrative accounts.

Reproduction

To reproduce this vulnerability, log into the application as an admin user. Navigate to the 'Settings' -> 'Security' section and use the 'ResetPassword' button next to any user. After resetting the password, log out and log back in as a non-admin user. Copy the authorization token from the session and replace the token in the PUT request to the '/api/SecuritySettings/ResetPassword' endpoint with the non-admin user's token. Submit the request to reset the password for the selected user.

Remediation

Users can update to Danphe Health Hospital Management System EMR version 3.11.11 or later, where this vulnerability has been patched.