eNet Smart Home Server Missing Authorization Vulnerability in User Account Deletion

A missing authorization vulnerability has been identified in eNet SMART HOME server versions 2.2.1 and 2.3.1. The issue resides in the deleteUserAccount JSON-RPC method, where authenticated low-privileged users (UG_USER) can delete any user account, except for the admin account. This vulnerability arises because the application fails to enforce proper role-based access control, allowing standard users to send crafted POST requests to the management endpoint to remove accounts without needing elevated permissions or additional confirmation. As a result, this flaw enables unauthorized user management actions, potentially leading to a denial-of-service against legitimate users and disruption of operations.

Impact

Exploitation of this vulnerability allows for arbitrary deletion of user accounts by low-privileged users, except for the admin account. This could disrupt user access and operations within the smart home system.