Z-9527 Admin Mass Assignment Vulnerability in User Update Endpoint
Vulnerability
A mass assignment vulnerability exists in Z-9527 Admin versions 1.0 and 2.0, prior to commit 72aaf2d. The issue is located in the User Update Endpoint, specifically within the file /server/routes/user.js. This vulnerability allows authenticated attackers to manipulate the isAdmin parameter, escalating privileges by gaining admin rights. The flaw arises because user-supplied input is directly incorporated into SQL UPDATE statements without proper validation or whitelisting of fields. As a result, attackers can modify arbitrary database columns, including those related to user privileges.
Impact
Exploitation of this vulnerability allows authenticated users to gain administrative privileges by manipulating the isAdmin field through the user update endpoint.
Reproduction
To reproduce this vulnerability, an authenticated user can send a POST request to the /user/update endpoint with the isAdmin parameter set to 1. The absence of input validation allows this manipulation to be processed, resulting in the user being granted admin rights.
Remediation
No specific mitigation measures are known for this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.