Grav CMS IDOR Vulnerability in Admin Panel Allowing Unauthorized Access to Sensitive Information

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Grav CMS Admin Panel, prior to version 1.8.0-beta.27. This vulnerability allows low-privilege users to access sensitive information from other accounts. While it does not enable direct account takeover, it exposes admin email addresses and other metadata, increasing the risk of phishing, credential stuffing, and social engineering attacks.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information, specifically admin email addresses and associated metadata, from other user accounts. This information can be leveraged for targeted phishing attacks, credential stuffing, or social engineering campaigns.

Reproduction

To reproduce this vulnerability, log in as a low-privilege user (an account with 0 privileges). Then, access the endpoint for another user account, such as '/admin/accounts/users/{username}'. Although a '403 Forbidden' response will be returned, the page source will reveal sensitive information, including the admin's email address, in the '<title>' tag.

Remediation

Users can upgrade to Grav version 1.8.0-beta.27 or later to address this vulnerability.