FlaskBlog Privilege Escalation Vulnerability Allowing Role Change to Admin

A vulnerability in FlaskBlog versions through 2.8.0 allows arbitrary users to change their roles to 'admin'. This unauthorized role change grants users administrative privileges, such as the ability to delete other users, posts, and comments. The issue resides in the 'routes/adminPanelUsers' file, where the role change request is processed without proper validation, enabling users to escalate their privileges maliciously.

Impact

Exploitation of this vulnerability allows for arbitrary privilege escalation, enabling users to gain admin rights and access all associated functionalities, including the deletion of users, posts, and comments.

Reproduction

To reproduce this vulnerability, log in as a non-admin user and navigate to the admin panel user management section. Send a request that includes the 'userRoleChangeButton' form element, targeting another user. The request will be processed without the necessary role validation, allowing the 'test' user to be promoted to admin. After the role change, the user will have full administrative access.

Remediation

To address this vulnerability, move the user role validation code to execute before line 36 in the 'routes/adminPanelUsers' file.