CVE-2024-45877 in TOPqw Webportal
Summary
by MITRE • 11/13/2024
baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web portal, view and manipulate information and permissions of other users, lock other user or unlock the own account, change the password of other users, create new users or delete existing users and view, manipulate and delete reference data.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/27/2024
The vulnerability identified as CVE-2024-45877 affects the baltic-it TOPqw Webportal version 1.35.283.2 and represents a critical access control flaw within the User Management module. This weakness exists in the /Apps/TOPqw/BenutzerManagement.aspx component where proper authorization checks fail to validate user privileges before granting access to sensitive administrative functions. The flaw stems from inadequate input validation and insufficient privilege verification mechanisms that allow unauthorized users to bypass normal access restrictions and gain elevated privileges within the application's user management system.
This access control vulnerability maps directly to CWE-285, which describes improper authorization scenarios where systems fail to properly verify that users have appropriate permissions before granting access to protected resources. The flaw creates a dangerous privilege escalation path that enables low-privileged users to assume administrative roles and execute operations typically restricted to authorized administrators. The vulnerability impacts the core security model of the web portal by undermining the principle of least privilege and allowing unauthorized access to critical user management functions.
The operational impact of this vulnerability is severe and encompasses multiple high-risk activities that can compromise the entire system integrity. Affected users can manipulate user accounts including locking and unlocking other accounts, changing passwords for arbitrary users, creating new user accounts, and deleting existing user accounts. Additionally, the vulnerability permits access to reference data manipulation and deletion, which can include sensitive business information, configuration settings, and system parameters. This comprehensive access allows attackers to fundamentally alter the user access control structure and potentially establish persistent access to the system.
From a threat modeling perspective, this vulnerability aligns with several ATT&CK techniques including T1078 for valid accounts and T1531 for account access removal. The flaw provides attackers with the capability to move laterally within the system by creating new accounts or modifying existing ones, while also enabling them to disrupt normal operations through account lockouts or password changes. The ability to view and manipulate permissions across all modules means that an attacker could effectively become a system administrator with full control over user access and system configuration.
Mitigation strategies should focus on implementing proper authentication and authorization controls within the User Management component. The system must enforce strict privilege checks before allowing access to administrative functions, ensuring that only users with appropriate administrative roles can perform sensitive operations. Input validation and parameter sanitization should be strengthened to prevent unauthorized access attempts. Regular security audits and privilege reviews should be conducted to identify and remediate similar access control weaknesses. Additionally, implementing role-based access control with mandatory access controls and least privilege principles will help prevent unauthorized access to sensitive functions. The vendor should provide a security patch that addresses the authorization bypass and ensures proper validation of user privileges before executing administrative operations.