Plainpad Privilege Escalation Vulnerability Allowing Unauthorized Admin Access

A privilege escalation vulnerability has been identified in Plainpad, a self-hosted note-taking application, prior to version 1.1.1. The issue allows low-privilege authenticated users to escalate their privileges to admin by sending a request with 'admin=true' to the 'PUT /api.php/v1/users/{id}' endpoint. This endpoint improperly validates user input, directly applying the 'admin' attribute without appropriate authorization checks. Once escalated, users can access admin-only routes immediately.

Impact

Exploitation of this vulnerability allows low-privilege users to gain administrative rights, enabling access to sensitive admin-only features and routes. This could lead to unauthorized changes or access to confidential information within the application.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a 'PUT' request to the '/api.php/v1/users/{id}' endpoint, including 'admin=true' in the request. The absence of proper authorization checks on the 'admin' field allows the user to self-escalate to an administrator role.

Remediation

Users are advised to update to Plainpad version 1.1.1, where this vulnerability has been patched.