ChurchCRM Kiosk Manager Broken Access Control Vulnerability

A broken access control vulnerability has been identified in ChurchCRM versions through 5.12.0, specifically within the Kiosk Manager feature. This vulnerability allows any authenticated user to manipulate kiosk registrations and perform various Kiosk Manager actions, such as reloading and identifying kiosks. The affected functions include allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk. This issue arises because the Kiosk Manager is intended for administrative use only, but the access controls are improperly implemented, enabling unauthorized users to access these functionalities.

Impact

Exploitation of this vulnerability could disrupt Kiosk services by allowing unauthorized users to perform administrative actions within the Kiosk Manager.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges. Use web developer tools to copy the user token, and then send requests to the affected Kiosk Manager endpoints using cURL. Include the low-privilege user's cookie in the request. The endpoints can be accessed without proper authorization, allowing the user to perform actions such as accepting, reloading, or identifying kiosks.

Remediation

To address this vulnerability, implement proper authorization checks on the affected endpoints to ensure that only administrators can access these functions. Consistently apply access control logic to all actions, including API endpoints.