Privilege escalation from admin and normal user to super admin in 4jean/lav_sms

Valid

Reported on

Sep 19th 2022


Description

Lav_sms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role.

Proof of Concept

1. POST /users/{id} with custom payload via API Testing tool like postman/Insomnia.

Steps to reproduce

1. Login as admin.
2. Navigate to Edit Users Panel.
3. Click on Edit user to get their HashId from URL OR get hashid of current user by visiting My Profile.
4. POST request to /users/{hashid} with method, csrf token and an extra field user_type = 'admin' or 'super_admin'
5. The edited user is now admin/superadmin.

Impact

Its capable of giving un privileged users like student, parent, teacher, accountant accesses of admin and super admin. The admin can even make them self super admin as well and have complete control other than what was originally intended for them. Changing all the settings, generating pins, creating more admins as well as super admins.

We are processing your report and will contact the 4jean/lav_sms team within 24 hours. 4 days ago
M kashif modified the report
4 days ago
We have contacted a member of the 4jean/lav_sms team and are waiting to hear back 3 days ago
Chinedu Okemiri
3 days ago

Maintainer


Thanks for the report. I'll look into the issue

Chinedu Okemiri validated this vulnerability 3 days ago
M kashif has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chinedu Okemiri confirmed that a fix has been merged on 10a2e9 3 days ago
Chinedu Okemiri has been awarded the fix bounty
M kashif
2 days ago

Researcher


You are most welcome:)

to join this conversation