StudioCMS Password Reset Vulnerability Allowing Admin-to-Owner Account Takeover

A vulnerability in StudioCMS versions prior to 0.4.3 allows authenticated users with admin privileges to take over the owner account by exploiting the password reset functionality. The issue arises in the POST /studiocms_api/dashboard/create-reset-link endpoint, which fails to validate that the user ID targeted for the password reset matches the identity of the admin user making the request. Additionally, the endpoint does not enforce role hierarchy, allowing lower-ranked admins to target the owner account. This vulnerability can be exploited in conjunction with the POST /studiocms_api/dashboard/reset-password endpoint, leading to a complete account takeover of the highest-privileged account in the system.

Impact

Exploitation of this vulnerability allows an admin user to reset the password of the owner account, gaining full control over the StudioCMS instance, including access to all content, user management, and system configuration.

Reproduction

To reproduce this vulnerability, an admin user must first verify their session to confirm their administrative privileges. Once authenticated, the admin can send a request to the create-reset-link endpoint, specifying the user ID of the owner account. The server will respond with a password reset token, which can then be used with the reset-password endpoint to change the owner's password, completing the account takeover.

Remediation

Users are advised to update StudioCMS to version 0.4.3 or later, where this vulnerability has been fixed.