ProjeQtor Missing Authorization Vulnerability in objectDetail.php Endpoint

A missing authorization vulnerability has been identified in ProjeQtor versions 7.0 prior to 12.4.4. This vulnerability exists in the objectDetail.php endpoint, where authenticated users with guest-level privileges can access sensitive data belonging to other users, such as password hashes and API keys. The lack of proper authorization checks allows these users to bypass access controls and directly retrieve information that could include administrator credentials, potentially leading to privilege escalation.

Impact

Exploitation of this vulnerability could allow low-privileged users to access and extract sensitive information from other users, including password hashes and API keys. Such data could be used to gain unauthorized access to accounts or escalate privileges within the application.

Remediation

It is recommended that ProjeQtor implement server-side authorization checks for all endpoints that return object details. The application should ensure that users have the appropriate permissions to access requested data, regardless of the frontend controls. This vulnerability can be addressed by updating to ProjeQtor version 12.4.4 or later, where this authorization issue has been fixed.