SICK Enterprise and Logistic Analytics Products Unlimited User Creation Vulnerability

A vulnerability exists in SICK Enterprise Analytics and SICK Logistic Analytics products, allowing authorized users to create an unlimited number of user accounts through a specific API endpoint. This issue arises because the application lacks proper validation, quotas, or restrictions on the account creation process. As a result, an authorized user could potentially abuse this functionality to generate excessive accounts, which could lead to various security concerns, such as unauthorized access or resource exhaustion.

Impact

Exploitation of this vulnerability could result in unauthorized user account creation, potentially leading to misuse of accounts or resources.

Reproduction

To reproduce this vulnerability, an authorized user can send a POST request to the designated API endpoint for user account creation. Since there are no validation checks or limits on the number of accounts that can be created, this process can be repeated indefinitely.

Remediation

It is recommended to update to the latest version of the affected SICK products. For SICK Baggage Analytics, SICK Tire Analytics, SICK Package Analytics, and SICK Logistic Diagnostic Analytics, the latest version is 4.6.2. General security measures should also be applied when operating these products to mitigate the associated security risks.