1024-lab Smart-Admin Improper Access Control Vulnerability in Druid Application
Vulnerability
A vulnerability allowing unauthorized access has been identified in 1024-lab Smart-Admin versions through 3.30.0. This issue resides in the Demo Site component, specifically within the file /smart-admin-api/druid/index.html. The vulnerability arises from inadequate access controls, enabling remote exploitation. Although the project was notified of this issue, no response has been received yet.
Impact
Exploitation of this vulnerability allows attackers to access all SQL statements and sessions within the system. After gaining access to a session, they can log into the system backend and potentially cause further damage.
Reproduction
To reproduce this vulnerability, navigate to the Druid application index.html page without any authentication. The lack of access controls will allow unauthorized users to access sensitive SQL data and session information.
Remediation
It is recommended to add authentication to the Druid page and set a strong password.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.