Summary
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.
Detail
The backend user without permission was still able to list, create, update "Favourite Output Channel Configuration" item
Step to Reproduce the issue
login as Admin (full permission) and clicked "Favourite Output Channel Configurations"
Then, captured and saved the request:
-List API
-Create API
-Update API
Next, login a backend user with no permission
The copy the "Cookie" and "X-Pimcore-Csrf-Token"
After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to captured request
- Create API
- Update API
Impact
Successful exploitation allows low-privileged or standard users to view, create, modify that should be restricted to specific administrative or operational roles. Depending on the sensitivity of these configurations (e.g., routing of alerts, reports, or data streams), an attacker could redirect critical outputs, suppress notifications, insert misleading channels, or gain insight into internal workflows. In regulated environments, this may result in compliance violations, operational disruption, or facilitation of further attacks through reconnaissance.
References
ytlamal Finder
Summary
The application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This violates the principle of least privilege and constitutes a classic example of Broken Access Control (OWASP Top 10 A01:2021). Because authorization is not validated at the function level, any authenticated user can perform actions intended only for privileged roles, leading to horizontal or vertical privilege escalation.
Detail
The backend user without permission was still able to list, create, update "Favourite Output Channel Configuration" item
Step to Reproduce the issue
login as Admin (full permission) and clicked "Favourite Output Channel Configurations"
Then, captured and saved the request:
-List API
-Create API
-Update API
Next, login a backend user with no permission
The copy the "Cookie" and "X-Pimcore-Csrf-Token"
After that, pasted the copied "Cookie" and "X-Pimcore-Csrf-Token" to captured request
- Create API
- Update APIImpact
Successful exploitation allows low-privileged or standard users to view, create, modify that should be restricted to specific administrative or operational roles. Depending on the sensitivity of these configurations (e.g., routing of alerts, reports, or data streams), an attacker could redirect critical outputs, suppress notifications, insert misleading channels, or gain insight into internal workflows. In regulated environments, this may result in compliance violations, operational disruption, or facilitation of further attacks through reconnaissance.
References