Webkul Krayin CRM Broken Object-Level Authorization Vulnerability in Contact Management Endpoint

A Broken Object-Level Authorization (BOLA) vulnerability has been identified in Webkul Krayin CRM version 2.2.x. The issue resides in the PersonController.php file, specifically within the contact management endpoint. This vulnerability allows authenticated attackers to arbitrarily read, modify, and permanently delete contacts owned by other users. Exploitation involves sending crafted GET, PUT, or DELETE requests with manipulated person IDs.

Impact

Exploitation of this vulnerability leads to unauthorized access and modification of contact records, allowing for reading, altering, or deleting personal information of other users.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET, PUT, or DELETE request to the /admin/contacts/persons/{id} endpoint, replacing {id} with the ID of a contact owned by another user. The absence of authorization checks on the person ID allows for manipulation of contacts across different users.

Remediation

Implement object-level authorization checks in the PersonController to ensure that users can only access contacts they own. This can be done by verifying the person ID against the authenticated user's ID or by using Laravel Policy classes to enforce ownership. Additionally, audit logging can be introduced to track access attempts to contacts owned by other users.