StudioCMS REST API Owner Account Exposure Vulnerability
Vulnerability
A vulnerability in the StudioCMS REST API `getUsers` endpoint prior to version 0.4.4 allows admin tokens to access owner account details. The endpoint improperly uses the `rank` query parameter to filter owner accounts, enabling admins to retrieve sensitive information such as IDs, usernames, display names, and email addresses of owner users. This issue arises from an authorization flaw within the user management API, as the adjacent `getUser` endpoint correctly restricts access to owner records for admins.
Impact
Exploitation of this vulnerability allows for unauthorized enumeration of owner account details, including sensitive information such as email addresses and user IDs, which could be used for phishing or targeted attacks.
Reproduction
To reproduce this vulnerability, send a GET request to the `getUsers` endpoint with the `rank` query parameter set to `owner`, using an admin-level REST API token for authorization. The response will include owner account records, demonstrating the authorization bypass.
Remediation
Users can update to StudioCMS version 0.4.4 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.