Account Owner Email Adrress Leakage Lead To Improper Access Control in kiwitcms/kiwi
Apr 15th 2023
hi team, when i try to create users for on https://public.tenant.kiwitcms.org/admin/auth/user/<yourid>/change/ i see that the users are not properly authenticated. i can create users with the same firstname,lastname, and email. normally, when we create the same users it should error with the response users already and email already, this belongs to the business logic vulnerability as well. i can also create users with account owner email address firstname.lastname@example.org and it works. now i have users with account owner email address kiwitcms.org
Proof of Concept
1. go to create account and go to my profile 1. enter your firtsname like test and lastname demo and email You can use email@example.com up to 3 times 1. successfully to create users with the same email address and firstname, lastname # Impact Attackers can arbitrarily and without the victim's consent make new users use their email.