jshERP Improper Authorization Vulnerability in Account Deletion Endpoint
Vulnerability
A critical improper authorization vulnerability has been identified in jshERP versions through 3.5. The issue resides in the Account Handler component, specifically within the /user/delete endpoint. The vulnerability allows users with low-privilege accounts to delete arbitrary user accounts by manipulating the ID parameter. This exploitation can be done remotely, and the absence of rate limits or adequate CSRF token management enables the deletion of multiple accounts by simply iterating through IDs.
Impact
Exploitation of this vulnerability allows for the unauthorized deletion of user accounts.
Reproduction
To reproduce this vulnerability, log in with a low-privilege account. Send a DELETE request to the /jshERP-boot/user/delete endpoint, including an ID parameter that corresponds to the account to be deleted. The request will be processed as if it were sent by an administrator, successfully deleting the specified account. This can be repeated for other accounts by changing the ID parameter, taking advantage of the lack of rate limiting and CSRF token protection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.