adata Software GmbH Mitarbeiterportal Incorrect Access Control Vulnerability Allowing Unauthorized Administrative Functions

A vulnerability allowing incorrect access control has been identified in adata Software GmbH's Mitarbeiterportal version 2.15.2.0, prior to 2.16.1. This vulnerability enables remote authenticated users with low privileges to perform administrative tasks and manipulate data of other users through unauthorized API calls. The issue arises from multiple modules lacking proper authorization checks, allowing standard users to access sensitive employee information and workflows by modifying web request parameters or directly interacting with affected API endpoints.

Impact

Exploitation of this vulnerability could lead to unauthorized access to confidential employee data, including private email addresses and sensitive files, as well as the ability to manipulate workflows by performing actions such as approving or denying absence requests, deleting user data, and accessing administrative log files.

Reproduction

The vulnerability can be reproduced by sending API requests to the affected endpoints with modified parameters, such as user IDs or dates. This can be done using an intercepting web proxy like Burp Suite, or through API testing tools. Once the request is intercepted, the parameter can be altered to correspond to another user's data, bypassing the access control and gaining unauthorized access to sensitive information or administrative functions.

Remediation

Users are advised to update to adata Software GmbH Mitarbeiterportal version 2.16.1 or later, where this vulnerability has been addressed.