Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web
Jul 23rd 2021
name is not properly restricted so a user can change his username even when the view does not allow to change it.
🕵️♂️ Proof of Concept
//The method change_profile() saves also de name if it is present in the request. It does not check if the user has the permission to change it. current_user.name = check_username(to_save["name"])
- Go to user profile.
- Change the email address or any data.
- Intercept the request
- In the request body, add the values
name=name+changed!to the other attributes. Image
- Send the request.
- See that the change has been made. Image
This vulnerability is capable of allow a non authorized change the username.