ServicesEventsBlogAcademySupportContact
Free Consultation
Back to blog
VulnerabilitiesOctober 27, 2023 · 4 min

CVE-2023-43902: Privilege escalation via password recovery in EMSigner

Critical vulnerability (CVSS 8.8) in EMSigner v2.8.7 letting an attacker access admin accounts via the 'Forgot your password' feature.

Summary

Name: Privilege Escalation via "Forgot your password" functionality.

Product: EMSigner
Affected versions: EMSigner v2.8.7
Affected Component: Forgot-password function. Endpoint /Areas/Login/PasswordRecovery and web parameter "Email"
Attack Type: Remote
Impact: Escalation of Privileges
CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — Base Score 8.8
CVE ID: CVE-2023-43902

Description

Incorrect access control in the "Forgot your password" function of EMSigner v2.8.7 allows unauthenticated attackers to access accounts of all registered users — including administrator accounts — via a crafted password reset token.

Vulnerability

The vulnerability arises due to insufficient access controls in the password reset process. The application exposes password-reset activity and fails to properly validate privileges, allowing a low-privileged user to manipulate parameters and reset passwords for higher-privileged accounts — including administrators.

Attack Vector

The vulnerability is exploited as an authentication bypass. A low-privileged attacker can manipulate parameters in the reset token generated by "Forgot your password" and set a new password for administrator accounts.

Exploitation

During the assessment of a web app using EMSigner we found the following chain:

  1. A low-privilege user visits "Forgot your password" and triggers a reset with a test account.
  2. After completing the form, the attacker receives a reset link.
  3. The consultant opens the PasswordRecovery form, triggers "forgot password" for the target, intercepts the request and modifies the email parameter to the attacker's address.
  4. The attacker can now log in with the new credentials, accessing the target's account and its sensitive information.

Remediation

An updated version of EMSigner is available at the vendor page.

Credits

The vulnerability was discovered by Jean Paul Granados (SecPro).

References

Vendor page: https://www.emsigner.com/

Timeline

  • 2023-02-27 — Vulnerability discovered.
  • 2023-05-08 — Vendor contacted.
  • 2023-05-24 — Vendor acknowledged the report.
  • 2023-09-01 — Vulnerability patched.
  • 2023-10-27 — Public disclosure.
Back to blogContact an advisor

Keep reading

Cybersecurity

What is a DDoS attack and how to protect yourself

Social Engineering

Social engineering: the threat you can't patch

Cybersecurity

Types of hackers: White, Grey and Black Hat

Need help with your cybersecurity? 💬