Pimcore Web2Print Tools Bundle Broken Access Control Vulnerability in Favourite Output Channel Configurations

A broken access control vulnerability has been identified in the Pimcore Web2Print Tools Bundle, affecting versions prior to 5.2.2 and 6.1.1. The issue arises because the application does not enforce proper server-side authorization checks on the API endpoint that manages 'Favourite Output Channel Configurations.' As a result, an authenticated backend user, even without explicit permissions for this feature, could still invoke the endpoint to modify or retrieve these configurations. This lack of authorization validation at the function level violates the principle of least privilege, allowing unauthorized users to access functionalities reserved for privileged roles.

Impact

Exploitation of this vulnerability could lead to unauthorized viewing, creation, or modification of 'Favourite Output Channel Configurations,' actions that should be restricted to specific administrative roles. Depending on the sensitivity of the altered configurations, such as those related to alert routing or data streams, this could allow an attacker to misdirect critical outputs, suppress notifications, or gain insights into internal workflows. In regulated environments, such actions could result in compliance violations or operational disruptions.

Reproduction

To reproduce this vulnerability, log in as an authenticated backend user who does not have explicit permissions for managing 'Favourite Output Channel Configurations.' Once logged in, access the API endpoint for listing, creating, or updating these configurations. The request can be made by copying the necessary authentication tokens from the browser and pasting them into a request to the vulnerable endpoint. This process can be automated with a script or a tool like Postman.

Remediation

Users can upgrade to Pimcore Web2Print Tools Bundle versions 5.2.2 or 6.1.1, where this vulnerability has been addressed.