Indotalent Free-CRM Improper Authorization Vulnerability in Security API

A critical authorization vulnerability has been identified in Indotalent Free-CRM versions through commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. The vulnerability resides in the Security API, specifically within the file '/api/Security/'. It allows low-privileged authenticated users to bypass authorization and access privileged endpoints. This exploitation can be done remotely, leading to unauthorized actions such as enumerating all user accounts, including administrators, accessing sensitive profile information, and modifying or disabling any user account. The issue stems from missing server-side authorization checks on key security APIs, combined with the exposure of these endpoints through an unauthenticated Swagger documentation.

Impact

Exploitation of this vulnerability results in a complete compromise of user management functions, allowing unauthorized users to gain full administrative control over the application.

Reproduction

The vulnerability can be reproduced by first accessing the unauthenticated Swagger endpoint, which reveals the available security APIs. After logging in with a low-privileged user account, the access token can be obtained and used to call the privileged APIs '/api/Security/GetUserList', '/api/Security/GetMyProfileList', and '/api/Security/UpdateUser'. This process allows for the enumeration of all user accounts, including administrators, extraction of sensitive profile data, and unauthorized modifications of user accounts.

Remediation

It is recommended to restrict access to the Swagger documentation in production environments, enforce server-side role-based access controls on security APIs, implement object-level authorization to ensure users can only access their own data, and conduct thorough security testing before releasing updates.