mickasmt next-saas-stripe-starter Improper Authorization Vulnerability in User Role Update Function

A critical vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0, specifically within the updateUserRole function in actions/update-user-role.ts. This vulnerability allows any authenticated user to escalate their privileges to ADMIN by manipulating the userId and role arguments. The issue arises because the authorization check only verifies if the user is modifying their own record, enabling users to grant themselves admin rights. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows authenticated users to gain unauthorized ADMIN privileges, granting access to admin-only routes and functionalities.

Reproduction

To reproduce this vulnerability, an authenticated user with a USER role can navigate to the dashboard settings page, select ADMIN from the role dropdown, and submit the form. The updateUserRole function will validate the request and, due to the flawed authorization logic, will update the user's role to ADMIN.

Remediation

It is recommended to remove the updateUserRole action and the UserRoleForm component from the application. Role modifications should be restricted to a dedicated admin-only action that verifies the user's admin status and targets different users for role updates.