Agorum Core Incorrect Access Control Vulnerability Allowing Privilege Escalation
Vulnerability
A vulnerability in Agorum Core Open versions 11.9.2 and 11.10.1 has been identified, allowing authenticated attackers to escalate privileges to Administrator. This incorrect access control enables access to sensitive components and information, including server logs, stack traces, and administrative tools for managing files and access rights. Notably, some of these endpoints were accessible without authentication immediately after a fresh installation.
Impact
Exploitation of this vulnerability allows for unauthorized access to administrative functionalities, including the ability to download server logs and stack traces, mass delete files, and modify access rights on uploaded files. This could lead to significant unauthorized manipulation of data and administrative oversight.
Reproduction
The vulnerability can be reproduced by logging into Agorum Core Open as a low-privileged user and accessing various administrative tools and endpoints that should require elevated privileges. Additionally, after a fresh installation, some administrative tools can be accessed without any authentication, allowing for unauthorized access to server logs and stack traces.
Remediation
Users of Agorum Core Open can upgrade to versions 11.9.2 or 11.10.1 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.