Scoold Persistent Admin Privilege Escalation Vulnerability via Forged Bearer Token

A vulnerability in Scoold prior to version 1.67.0 allows unauthorized modification of the admin configuration value through the API endpoint '/api/config/set/admins'. This is possible by using a forged Bearer token that is accepted as an admin API token. Once the admin setting is changed, the targeted email address is written to the application configuration file. Although the change does not take effect immediately, it becomes active after a restart of the Scoold application, granting the user admin privileges and access to the admin panel. This vulnerability creates a persistent admin takeover, as an attacker can simply overwrite the admin email, wait for a restart, and regain admin access.

Impact

Exploitation of this vulnerability leads to persistent privilege escalation, allowing an attacker to gain and maintain admin rights on the Scoold platform.

Reproduction

To reproduce this vulnerability, first, obtain a low-privilege user account and generate a forged JWT that bypasses admin authorization. Then, use the forged token to send a PUT request to '/api/config/set/admins', including the email address of the low-privilege user. After the configuration is updated, restart the Scoold application. Once the application is back online, the user will have admin privileges, confirmed by accessing the admin panel.

Remediation

Users are advised to update Scoold to version 1.67.0 or later, where this vulnerability has been patched.