GRANDING UTime Master - IDOR (CVE-2023-45393)

 Hi All,

I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v UTime Master_9.0.7-Build:Apr 4,2023). 

CVE ID: CVE-2023-45393

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees.

  1. Login to UTime Master using any account.
  2. Capture the request in burpsuite with the valid cookies.
  3. modify the URL to "/base/adminlog/table/?page=1&limit=200"
  4. Forward the request and it will fetch all the admin logs.

IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)