๐ U.S. Dept Of Defense: Attacker can Add itself as admin user and can also change privileges of Existing Users [โโโโโโโโโ]
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Hi there, i have found a vulnerability on you domain. After directory bruteforcing i found an directory without having any kind of protection and authentication. so an attacker can add new user to the site As Admin and an attacker can also change privilege of the users without any authentication. for further read steps to reproducue. Impact The attacker can add itself as admin user and can also change user privileges without any authentication. this can lead to huge impact the entire site can be compromised. System Host(s) โโโโ Affected Product(s) and Version(s) CVE Numbers Steps to Reproduce Visit โโโโโโโโ:1:0::::: you will see the website is asking to login Now change the 1 to 9 or directly visit this url. Navigate to Add New User enter email address, First name, Last name and choose agency to Non-Agency. Click on add new user check mail inbox you will recieve the username and password for the admin account you just created. Login with the creds you just got in you email. NOTE: I CREATED 2 ACCOUNTS WHILE TESTING THIS ISSUE I HAVE PROVIED CREDS FOR THE BOTH ACCOUNT IN POC MAKE SURE TO CHECK THEM AS WELL Suggested Mitigation/Remediation Actions the website should have proper authentication for the url โโโโโโโโ::::: so that can any unauthorized user cannot add user or change the privileges of the existing... ...