ServicesEventsBlogAcademySupportContact
Free Consultation
Back to blog
VulnerabilitiesOctober 27, 2023 · 4 min

CVE-2023-43901: Unauthorized user modification in EMSigner

Business logic flaw in EMSigner v2.8.7 allowing attackers to modify usernames and downgrade privileges of registered users.

Summary

Name: Business Logic Flaw in EMSigner's Web Application User Management Allows Unauthorized Modification of User Names and Privileges.

Product: EMSigner
Affected versions: EMSigner v2.8.7
Affected Component: Endpoint /eMsecure/Users/AdhocUser and web parameter "Name"
Attack Type: Remote
Vulnerability Type: Incorrect Access Control
Impact: Integrity
CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L — Base Score 7.1
CVE ID: CVE-2023-43901

Description

Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user.

Vulnerability

The vulnerability is rooted in a critical business logic flaw within the user management system. This flaw permits unauthorized users to manipulate user data — including changing user names and downgrading user privileges — when using the email address of a registered user.

Attack Vector

The vulnerability is exploited through the AdHoc User creation form or web request. An attacker can modify user names and privileges by sending a request with the "Name" parameter and the email address of a registered user.

Exploitation

During a web application assessment that used EMSigner, we discovered that the AdHoc User form allowed overwriting or modifying existing user data when the email address of a registered user was provided.

  1. Logged in as a low-privilege user and accessed the AdHoc Users creation form.
  2. The attacker sends an HTTP POST request to /eMsecure/Users/AdhocUser with the "Name" parameter set to a new name and the email address of an existing user.
  3. The server processes the request, updates the user's name and downgrades the privileges associated with the provided email.
  4. The victim's username is changed and their privileges reduced to the minimum.

Remediation

An updated version of EMSigner is available at the vendor page.

Credits

The vulnerability was discovered by Jean Paul Granados (SecPro).

References

Vendor page: https://www.emsigner.com/

Timeline

  • 2023-02-27 — Vulnerability discovered.
  • 2023-05-08 — Vendor contacted.
  • 2023-05-24 — Vendor acknowledged the report.
  • 2023-09-01 — Vulnerability patched.
  • 2023-10-27 — Public disclosure.
Back to blogContact an advisor

Keep reading

Cybersecurity

What is a DDoS attack and how to protect yourself

Social Engineering

Social engineering: the threat you can't patch

Cybersecurity

Types of hackers: White, Grey and Black Hat

Need help with your cybersecurity? 💬