Soumettre #775464: Kodbox 1.64 Improper Access Controlsinformation

TitreKodbox 1.64 Improper Access Controls
DescriptionIn kodbox 1.64, the shareSafeGroup endpoint uses a signed sk parameter for access control. When the site API key is empty, the code falls back to a hard-coded default key in Mcrypt, which is known from the source. An attacker can locally generate valid sk values using this default key and then, without authentication, call shareSafeGroup methods such as groupList and memberList to enumerate groups and read user information, including administrator details. To fix this, kodbox must remove the default key fallback, enforce a strong non-empty shareOutSiteApiKey, adopt robust AEAD-based token protection, and require proper authentication and authorization for all shareSafeGroup operations.
La source⚠️ https://vulnplus-note.wetolink.com/share/rM8GdIOvQZrw
Utilisateur
 vulnplusbot (UID 96250)
Soumission09/03/2026 04:15 (il y a 2 mois)
Modérer22/03/2026 12:40 (13 days later)
StatutAccepté
Entrée VulDB352424 [kalcaddle kodbox 1.64 Site-level API key shareOut.class.php shareSafeGroup sk chiffrement faible]
Points20

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!