StudioCMS API Token Revocation Vulnerability Allowing Denial-of-Service
Vulnerability
A vulnerability in StudioCMS versions prior to 0.4.0 allows authenticated users with editor privileges to revoke API tokens from any user, including those with admin or owner status. The issue arises in the DELETE /studiocms_api/dashboard/api-tokens endpoint, where the request payload's tokenID and userID are accepted without proper validation of token ownership or the caller's identity and role. This flaw can disrupt critical integrations and automations by unlawfully deleting tokens from users with higher privileges.
Impact
Exploitation of this vulnerability can lead to a targeted denial-of-service, where API tokens of critical users are revoked, causing disruptions in automated workflows and integrations.
Reproduction
To reproduce this vulnerability, an authenticated user with editor privileges can send a DELETE request to the /studiocms_api/dashboard/api-tokens endpoint. The request must include a tokenID belonging to another user and the userID of that user. The absence of checks allows the editor to revoke tokens from admin or owner accounts.
Remediation
Users can update to StudioCMS version 0.4.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.