StudioCMS REST API Privilege Escalation Vulnerability via Inconsistent User Rank Checks
Vulnerability
A vulnerability in StudioCMS versions prior to 0.4.3 allows for privilege escalation through inconsistent user rank checks in the REST API. The createUser endpoint only prevents the creation of owner accounts, while the Dashboard API correctly blocks the creation of users at or above the admin's rank. This inconsistency enables an admin to create additional admin accounts via the REST API, facilitating privilege proliferation and persistence.
Impact
Exploitation of this vulnerability allows a compromised admin to create additional admin accounts, bypassing intended authorization controls. This could lead to unauthorized access and actions within the application, as well as confusion about permission boundaries due to the inconsistent API behavior.
Reproduction
To reproduce this vulnerability, use an admin-level API token to make a POST request to the REST API createUser endpoint. Include the desired username, email, display name, rank (set to 'admin'), and password in the request. The API should respond with a 200 status, indicating that the admin account was successfully created, despite this action being unauthorized.
Remediation
Users can update to StudioCMS version 0.4.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.