MagnusBilling Privilege Escalation Vulnerability

A broken access control vulnerability has been identified in MagnusBilling versions prior to 7.8.5.3. This vulnerability allows newly registered users to escalate their account privileges by sending a crafted request to the user save endpoint. By doing so, they can change their account status from 'pending' to 'active' without needing approval from an administrator, thereby gaining unauthorized access to features reserved for verified users.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to access restricted functionalities and areas of the application.

Reproduction

To reproduce this vulnerability, register a new user account on a vulnerable version of MagnusBilling. Once the account is created, send a request to the 'user/save' endpoint, including a parameter that changes the account status from 'pending' to 'active'. This can be done using a tool like Postman or through a custom script that automates the request. After the status is changed, the account will have elevated privileges, allowing access to admin-only features.

Remediation

Users can upgrade to MagnusBilling version 7.8.5.3 or later, where this vulnerability has been fixed.