CVE-2021-37331 in Laravel Booking System Booking Core
Summary
by MITRE • 10/04/2021
Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/08/2021
The vulnerability identified as CVE-2021-37331 affects the Laravel Booking System Booking Core version 2.0, representing a critical access control flaw that undermines the application's security model. This issue manifests specifically within the Verifications page functionality where users can upload and view identification documents including ID cards and trade licenses. The vulnerability stems from insufficient authorization checks and improper input validation within the document retrieval mechanism, allowing authenticated users to exploit a path traversal or parameter manipulation flaw.
The technical implementation of this vulnerability resides in the application's document viewing functionality where the system fails to properly validate user permissions when accessing specific document resources. When a user uploads and views their own document, the system generates a URL that contains identifying parameters or identifiers that can be manipulated by any authenticated user. This flaw directly maps to CWE-285, which addresses improper authorization within software applications, and represents a classic case of insecure direct object reference where the application uses user-supplied input to construct resource paths without adequate access control verification.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables unauthorized data access that could compromise user privacy and business confidentiality. Attackers can exploit this weakness to view sensitive documents belonging to other vendors or users within the same system, potentially accessing personal identification information, business licensing details, or other proprietary data. This vulnerability creates a significant risk for businesses relying on the system for vendor verification and user authentication processes, as it undermines the fundamental principle of least privilege and data segregation. The attack vector requires minimal technical expertise, making it particularly dangerous as it can be exploited by both malicious insiders and external threat actors.
Security professionals should implement immediate mitigations including proper access control enforcement at the application level, where each document request must verify that the requesting user has legitimate authorization to access the specific resource. The system should enforce strict session-based validation and implement proper input sanitization for all URL parameters used in document retrieval. Additionally, organizations should consider implementing role-based access controls that ensure users can only access their own documents or documents they are explicitly authorized to view. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation, as it allows unauthorized access through legitimate user accounts by exploiting flawed access controls. The remediation process should include comprehensive code review of all document handling functions, implementation of automated access control testing, and regular security assessments to prevent similar issues in future releases.