Bagisto Missing Authentication Vulnerability in Installer API Endpoints Allowing Unauthorized Admin Account Creation

A critical vulnerability exists in Bagisto versions 2.3 prior to 2.3.10, where API routes remain active after the initial installation. The API endpoints under '/install/api/*' are accessible without authentication, allowing attackers to bypass the installer interface. This vulnerability enables unauthorized users to create admin accounts, modify application configurations, and potentially overwrite existing data.

Impact

Exploitation of this vulnerability allows for the creation of admin accounts, unauthorized access to administrative privileges, and the ability to modify application settings and data.

Reproduction

To reproduce this vulnerability, send a POST request to '/install/api/admin-config-setup' without any authentication. This can be done using an HTTP client or curl. The request will be accepted, and a new admin account will be created, bypassing the installation process.

Remediation

Users can update to Bagisto version 2.3.10, which addresses this vulnerability.