Grav Privilege De-Escalation and Account Disruption Vulnerability

A business logic vulnerability exists in the Grav Admin Panel versions prior to 2.0.0-beta.2. It allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. This is achieved by creating a new user with a username that already exists, which triggers an update of the existing account's metadata and permissions. As a result, the original admin rights are stripped away, leading to a denial-of-service on administrative functions and a privilege downgrade of the root account.

Impact

Exploitation of this vulnerability disrupts administrative accounts and de-escalates privileges for the primary administrator, effectively locking them out of management functions.

Reproduction

To reproduce this vulnerability, log in as a Super User and create a low-privileged user with permissions to manage other users. Then, navigate to the user accounts section and attempt to create a new user using the username of an existing admin account. Once the account is created, the original admin rights will be overwritten, demonstrating the vulnerability.

Remediation

This vulnerability has been fixed in Grav version 2.0.0-beta.2.