StudioCMS Privilege Escalation Vulnerability via Insecure API Token Generation

A privilege escalation vulnerability has been identified in StudioCMS versions prior to 0.4.0. The issue arises in the '/studiocms_api/dashboard/api-tokens' endpoint, where any authenticated user with at least Editor privileges can generate API tokens for other users, including those with owner and admin roles. The endpoint lacks proper authorization checks, allowing users to create tokens on behalf of others without permission. This vulnerability has been patched in version 0.4.0.

Impact

Exploitation of this vulnerability allows any authenticated user (above visitor) to gain owner-level access, along with full API access under the impersonated user's permissions. This could lead to an account takeover, as the attacker can access all REST API endpoints with the owner's privileges, including sensitive user and configuration data.

Reproduction

To reproduce this vulnerability, an authenticated user with Editor privileges can send a request to the '/studiocms_api/dashboard/api-tokens' endpoint. The request must include a payload specifying the user ID of an account with owner or admin privileges, along with a description for the token. The server will respond with a valid JWT token for the specified user, which can then be used to access the API with elevated rights.

Remediation

Users are advised to update StudioCMS to version 0.4.0 or later, where this vulnerability has been fixed.