Eladmin Users API Improper Access Control Vulnerability Allowing Privilege Escalation

A vulnerability exists in Eladmin versions through 2.7 within the Users API Endpoint, specifically in the UserController file. The issue arises from improper access controls in the checkLevel function, allowing secondary administrators with the user:add permission to inject a true value into the isAdmin field when creating users. This manipulation bypasses the role-based permission system, granting super admin rights to the new user. The vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, giving standard users super admin rights and bypassing all role-based access controls.

Reproduction

To reproduce this vulnerability, log in as a user with 'user:add' permission. Create a user through the API by sending a POST request to the '/api/users' endpoint. Include 'isAdmin' set to true in the request body, along with the necessary user details. Once the user is created, verify the privilege escalation by logging in as the new user and accessing an endpoint that requires admin rights, which should be granted despite not having the appropriate role.