Indotalent Asp.Net-Core-Inventory-Order-Management-System Improper Authorization Vulnerability in Security API

A vulnerability allowing improper authorization has been identified in Indotalent's Asp.Net-Core-Inventory-Order-Management-System, all versions through 9.20250118. The issue arises from missing server-side authorization checks on privileged endpoints within the Security API, specifically '/api/Security/GetUserList', '/api/Security/GetMyProfileList', and '/api/Security/UpdateUser'. This vulnerability enables low-privileged authenticated users to access, enumerate, and modify all user accounts, including those of administrators, leading to a complete compromise of user management functions.

Impact

Exploitation of this vulnerability allows low-privileged users to gain full administrative access within the application, enabling them to manage all user accounts, including administrators.

Reproduction

The vulnerability can be reproduced by first accessing the unauthenticated Swagger endpoint, which reveals the available Security API endpoints. After obtaining a valid bearer token from a low-privileged user account, this token can be used to access the privileged endpoints. The 'GetUserList' endpoint can be called to enumerate all users, including administrators. Then, the 'GetMyProfileList' endpoint can be used to access sensitive profile information of any user by exploiting the 'userId' parameter, demonstrating horizontal privilege escalation. Finally, the 'UpdateUser' endpoint can be used to modify any user's account, including blocking or deleting users, all without requiring administrative privileges.

Remediation

It is recommended to restrict access to the Swagger documentation in production environments, either by disabling it or requiring administrator authentication. Additionally, server-side role-based access control should be enforced on all privileged Security API endpoints to ensure that only authorized users can perform sensitive actions.