jshERP Password Recovery Vulnerability in IDOR Vulnerability Allowing Arbitrary Password Changes

An insecure direct object reference (IDOR) vulnerability has been identified in jshERP versions through 3.5. This vulnerability allows users with low-privilege accounts to change the passwords of any user, including administrators, by sending requests to the /jshERP-boot/user/updatePwd endpoint. The application uses MD5 hashing for passwords and lacks rate limiting or adequate cross-site request forgery (CSRF) protections, enabling brute force attacks to take over accounts.

Impact

Exploitation of this vulnerability allows for the takeover of any user account by changing the password to a new value, effectively granting access to the account.

Reproduction

To reproduce this vulnerability, log in with a low-privilege account and send a request to the /jshERP-boot/user/updatePwd endpoint. Include the user ID of the account whose password is to be changed, the current password (which can be brute-forced if necessary), and the new password. The request will successfully change the target account's password, bypassing normal restrictions.