Hasinohacker

Name of the Vulnerable Software and Affected Versions Budibase versões anteriores a 3.23.25 Description Budibase, uma plataforma de low-code de código aberto, contém uma falha de lógica de negócios em sua funcionalidade de redefinição de senha. O endpoint “Forgot Password” carece de limitação de taxa, CAPTCHA ou mecanismos de prevenção de abuso. Um invasor não autenticado pode acionar repetidamente solicitações de redefinição de senha para o mesmo endereço de e-mail, levando ao envio de um grande número de e-mails de redefinição de senha em um curto período. Isso pode resultar em inundações de e-mail, assédio ao usuário e negação de serviço (DoS) nas caixas de entrada dos usuários, causando potencialmente danos financeiros e de reputação. Recommendations Atualize o Budibase para a versão 3.23.25 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Budibase (affected versions not specified) **Description** The platform exhibits a combination of Vertical Privilege Escalation and Insecure Direct Object Reference (IDOR) due to missing server-side Role-Based Access Control (RBAC) checks in the `/api/global/users` endpoints. A Creator-level user can perform actions beyond their authorized permissions, such as promoting an App Viewer to Tenant Admin, demoting a Tenant Admin to App Viewer, or modifying the Owner’s account details and all orders. This is possible because the API accepts these actions without validating the requesting role, allowing a Creator to replay Owner-only requests using their own session tokens, potentially leading to full tenant compromise. IDOR, or Insecure Direct Object Reference, is a type of access control issue that allows attackers to bypass authorization checks by directly manipulating object identifiers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.26.4 **Description** Budibase is a low code platform used for building internal tools, workflows, and admin panels. A Creator-level user, normally lacking UI permissions to invite users, can manipulate API requests to invite new users with any role – including Admin, Creator, or App Viewer – and assign them to any group within the organization. This enables full privilege escalation, bypassing UI restrictions, potentially leading to complete workspace or organization takeover. The API endpoint used for user invitation is susceptible to manipulation. The vulnerable request allows bypassing intended access controls. **Recommendations** Update Budibase to version 3.26.4 or later.