Privilege escalation from admin and normal user to super admin in 4jean/lav_sms


Reported on

Sep 19th 2022


Lav_sms provides 5 types of roles. But the issue is admin can escalate to the super admin role for himself as well as for other un-privileged users too even lower than the admin role.

Proof of Concept

1. POST /users/{id} with custom payload via API Testing tool like postman/Insomnia.

Steps to reproduce

1. Login as admin.
2. Navigate to Edit Users Panel.
3. Click on Edit user to get their HashId from URL OR get hashid of current user by visiting My Profile.
4. POST request to /users/{hashid} with method, csrf token and an extra field user_type = 'admin' or 'super_admin'
5. The edited user is now admin/superadmin.


Its capable of giving un privileged users like student, parent, teacher, accountant accesses of admin and super admin. The admin can even make them self super admin as well and have complete control other than what was originally intended for them. Changing all the settings, generating pins, creating more admins as well as super admins.

We are processing your report and will contact the 4jean/lav_sms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
M kashif modified the report
a year ago
We have contacted a member of the 4jean/lav_sms team and are waiting to hear back a year ago
Chinedu Okemiri
a year ago


Thanks for the report. I'll look into the issue

Chinedu Okemiri validated this vulnerability a year ago
54keesh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chinedu Okemiri marked this as fixed in 1 with commit 10a2e9 a year ago
Chinedu Okemiri has been awarded the fix bounty
M kashif
a year ago


You are most welcome:)

to join this conversation