StudioCMS Broken Object Level Authorization Vulnerability Allowing Draft Access for Visitors

A Broken Object Level Authorization (BOLA) vulnerability has been identified in StudioCMS versions prior to 0.2.0. This vulnerability allows users with the 'Visitor' role to access draft content created by users with Editor, Admin, or Owner roles. The issue arises because the content management feature's authorization checks do not properly validate user roles or content ownership, enabling unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows unauthorized users to access unpublished draft content, which may contain sensitive or confidential information. This access bypasses the role-based access control system, undermining the trust model of multi-user content management.

Reproduction

To reproduce this vulnerability, log in as a user with the Editor role and create a draft content piece. After saving the draft, note the UUID of the content. Then, log in as a Visitor and obtain an authentication cookie. With this cookie, access the draft content by sending a request to the content management edit endpoint, including the UUID of the draft. The response will contain the draft content, demonstrating unauthorized access.

Remediation

Users can update to StudioCMS version 0.2.0, which addresses this vulnerability by implementing proper middleware-level permission checks for dashboard routes, preventing unauthorized access.