Blinko Privilege Escalation Vulnerability in User Upsert Endpoint

A privilege escalation vulnerability has been identified in Blinko versions prior to 1.8.4. The issue resides in the 'upsertUser' endpoint, which lacks proper authorization and input validation. Specifically, any logged-in user can access this endpoint, the 'originalPassword' parameter is optional and, if omitted, bypasses password verification. Additionally, there is no ownership check to ensure users can only modify their own accounts. This vulnerability allows authenticated users to change other users' passwords, escalate privileges to superadmin, and take over accounts.

Impact

Exploitation of this vulnerability enables any authenticated user to change the passwords of other users, gain superadmin privileges, and fully take over accounts.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'upsertUser' endpoint without including the 'originalPassword' parameter. The absence of this parameter will skip the password verification process. The user can also specify the 'id' of another user, bypassing ownership checks, and modify that user's password.

Remediation

Users can update to Blinko version 1.8.4 or later, where this vulnerability has been patched.