Privilege Escalation Allow the low level user to promote the user as admin

amitkh

Privilege Escalation via Unauthorized Role Update

Leading to Unauthorized Privilege Modification

Severity
High

CVSS v3.1 Score
8.2 (High)

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description:
During testing, it was identified that the application does not enforce proper authorization checks when updating user roles. A low-privileged authenticated user is able to modify their own role or another user’s role to a higher privilege level such as “admin”.

This vulnerability allows attackers to escalate privileges and gain unauthorized administrative access.

Affected Endpoint
PUT /api/users/<user-id>

Affected URL
https://app.redacted.io/users

Affected Components
User management functionality
Role update mechanism
Backend authorization

Technical Description
The application allows updating user roles through the /api/users/<user-id> endpoint. However, the backend does not validate whether the requesting user has permission to modify roles.

This allows a low-privileged user to escalate privileges by modifying the role parameter.

Steps to Reproduce

Step 1: Login
Login using a low-privileged user account

Step 2: Intercept Request
Navigate to the Users/Profile section and intercept any update request using Burp Suite

Step 3: Modify & Forge Request
Replace the intercepted request with the following crafted request

Proof of Concept Request
PUT /api/users/<user-id> HTTP/2
Host: app.redacted.io
Cookie: <low-privileged-user-session-cookie>
User-Agent: Mozilla/5.0
Accept: application/json
Content-Type: application/json
Origin: <https://app.redacted.io>
Referer: <https://app.redacted.io/users>
Connection: close

{
  "role": "admin"
}

Note
Use a valid session cookie from a low-privileged user account
Replace <user-id> with your own or another user ID

Step 4: Send Request

Step 5: Verify Impact
Observe that:

The request is processed successfully
The role is updated to admin
No authorization checks are enforced

Impact
Privilege Escalation Attackers can gain administrative access
System Compromise Full control over application features
Data Exposure Access to sensitive data and configurations
Root Cause
Missing role validation in backend

Expected Behavior
Only authorized users should modify roles

Actual Behavior
Any authenticated user can modify roles

Recommendations
Enforce RBAC on role updates
Validate permissions server-side
Restrict role modification

Conclusion
The lack of authorization checks allows privilege escalation through role manipulation. This vulnerability is classified as High severity.