Sushmi-pal Invoice System User Management Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Sushmi-pal Invoice System, specifically in versions prior to commit a0a3faa16dee2621b231ae227333f5761607283b. The issue resides in the User Management Handler, within the file '/user'. This vulnerability allows remote exploitation by manipulating the 'role' argument, leading to improper authorization. As a result, users can gain administrative privileges by creating or modifying accounts with elevated roles.

Impact

Exploitation of this vulnerability allows users to escalate their privileges to that of an administrator, potentially leading to unauthorized access to all administrative functions. Additionally, it could enable the modification of existing user accounts to grant them elevated permissions.

Reproduction

To reproduce this vulnerability, send a POST request to the '/user' endpoint without admin privileges. Include a payload that injects the 'role' parameter with an administrative designation, such as 'admin'. The absence of server-side validation allows this manipulation to succeed, bypassing authorization controls.

Remediation

To address this vulnerability, it is recommended to enforce authorization by protecting all '/user' routes with admin-only middleware. Additionally, restrict input by removing the 'role' field from the fillable array or validating it against a trusted whitelist. Implementing Laravel Policies to authorize user creation and updates can also help mitigate this issue.