Kalmia CMS Incorrect Access Control Vulnerability Allowing Sensitive Data Exposure

An incorrect access control vulnerability has been identified in Kalmia CMS version 0.2.0, specifically within the '/kal-api/auth/users' API endpoint. This vulnerability arises from inadequate permission validation and excessive data exposure in the backend. As a result, an authenticated user with basic read permissions can access sensitive information for all platform users, including Blowfish password hashes. This flaw enables offline cracking of passwords, potential privilege escalation, and compromise of administrative accounts, leading to a complete system takeover.

Impact

Exploitation of this vulnerability allows low-privileged users to access sensitive information, including password hashes for all platform accounts. Cracking these hashes can lead to unauthorized access, potentially allowing attackers to escalate privileges and compromise administrative accounts.

Reproduction

To reproduce this vulnerability, log into Kalmia CMS version 0.2.0 with a read-only user account. Once authenticated, access the '/kal-api/auth/users' API endpoint. This can be done manually or using a script that automates the process. The response will include sensitive information for all users on the platform, such as password hashes.

Remediation

Users are advised to update to the patched version of Kalmia CMS, which is available on the project's GitHub repository.