Movary Privilege Escalation Vulnerability in User Management

A privilege escalation vulnerability has been identified in Movary, a self-hosted web application for tracking and rating movies. In versions prior to 0.71.1, authenticated users could access user-management endpoints '/settings/users' without proper authorization. This allowed them to enumerate all users and create new administrator accounts. The issue arose because the route definitions lacked admin-only middleware, and the authorization check at the controller level was flawed, enabling any user with a valid session cookie to access functionalities meant for administrators.

Impact

Exploitation of this vulnerability allows ordinary authenticated users to gain administrative privileges, enabling them to create new admin accounts and access sensitive user information.

Reproduction

To reproduce this vulnerability, log in as an authenticated user who is not an administrator. Use the session cookie to access the '/settings/users' endpoint, which will return a list of all users, including their email addresses and admin status. Then, send a POST request to the same endpoint with a payload that includes 'isAdmin' set to true, creating a new admin account.

Remediation

Users can update to Movary version 0.71.1 or later, where this vulnerability has been patched.