StudioCMS Notification Preferences IDOR Vulnerability Allows Modification of Any User's Settings

A vulnerability in StudioCMS versions prior to 0.4.3 allows any authenticated user to modify the notification preferences of any other user. The issue arises in the `updateUserNotifications` endpoint, which accepts a user ID from the request payload to update notification settings. While the endpoint verifies that the caller is logged in, it fails to check if the caller owns the account being modified. This oversight enables authenticated users to alter notification preferences, including disabling admin notifications, which could obscure detection of malicious activities.

Impact

Exploitation of this vulnerability allows any authenticated user to disrupt notification settings for other users, particularly admins. This could be used to silence alerts about critical account activities, creating opportunities for further malicious actions with reduced risk of detection.

Reproduction

To reproduce this vulnerability, log in as a user with visitor privileges. Once authenticated, send a POST request to the `update-user-notifications` endpoint, including a user ID of an admin account in the request payload. The request should be made with the session token of the authenticated visitor user. Despite the request being unauthorized, the server will respond with a success message, indicating that the notification preferences were updated.

Remediation

Users are advised to update to StudioCMS version 0.4.3 or later, where this vulnerability has been fixed.