Grav API Plugin Privilege Escalation Vulnerability

A vulnerability in the Grav API Plugin for Grav CMS, prior to version 1.0.0-beta.15, allows authenticated users with basic API access to exploit an insecure direct object reference in the UsersController's update method. This flaw enables users to modify their own permission settings, potentially escalating their privileges to Super Administrator. Such an escalation could lead to a complete system compromise and, according to the CVE, remote code execution. The vulnerability arises because the access field, which controls user roles and permissions, is improperly validated, allowing low-privileged users to overwrite their access rights.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to Super Administrator rights, granting full control over the Grav CMS. With Super Administrator privileges, an attacker could manipulate content, change system configurations, upload harmful plugins, or modify Twig templates outside of the designated sandbox, potentially leading to remote code execution on the server.

Reproduction

To reproduce this vulnerability, first, obtain a low-privileged user account with basic API access. After authenticating to the API and receiving an access token, send a PATCH request to the user update endpoint, including a payload that modifies the access field to grant Super Administrator privileges. Once the update is successful, log into the Grav Admin panel with the updated user account to verify the elevated privileges.

Remediation

Users are advised to update the Grav API Plugin to version 1.0.0-beta.15 or later, where this vulnerability has been fixed.