Emlog Website Builder Access Control Vulnerability Allows Unauthorized Article Edits

A vulnerability in Emlog version 2.5.23 allows users to bypass restrictions preventing them from editing or deleting published articles. This issue arises from improper access control settings that can be manipulated by registered users. As of now, there are no known patched versions available.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of published articles by users who should not have that capability.

Reproduction

To reproduce this vulnerability, first, log in as a registered user and publish an article. Once the article is published, attempt to edit it. The request will be blocked due to the access control settings that prevent edits after publication. Next, log in as an admin and adjust the settings to allow registered users to publish without review and to restrict editing or deletion after publication. After saving these settings, return to the registered user account and try to edit the previously published article. The edit will be successfully processed, bypassing the intended restrictions.