WebErpMesV2 Unauthenticated API Access Vulnerability Allowing Data Exposure and Manipulation

A vulnerability in WebErpMesV2, prior to version 1.19, allows unauthenticated access to sensitive API endpoints. This oversight enables remote attackers to read critical business data such as company information, quotes, orders, tasks, and collaboration whiteboards. Additionally, the vulnerability permits limited write access, allowing the creation of company records and full manipulation of whiteboards. The issue arises because the API middleware group lacks authentication, leaving all routes exposed except for the '/api/user' endpoint.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive business data, with potential for data exfiltration, creation of fraudulent company records, and unauthorized modification of shared whiteboards. While the application does not support DELETE operations, the absence of authentication on critical API endpoints poses a significant risk of data exposure and manipulation.

Reproduction

The vulnerability can be reproduced by sending requests to the exposed API endpoints without any authentication. This can be done using a tool like cURL or Postman, or by writing a script that automates the process. The absence of authentication middleware allows for unrestricted access to the endpoints, enabling the reading of sensitive data or the creation and modification of records, such as companies and whiteboards.

Remediation

To address this vulnerability, authentication should be added to the API middleware group. This can be done by incorporating Laravel Sanctum for API token authentication and wrapping the routes in authentication middleware. Additionally, implementing role-based access control for sensitive operations and adding audit logging for API access are recommended.