Hasinohacker

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.23.25 Description Budibase, an open-source low-code platform, contains a business logic issue in its password reset functionality. The “Forgot Password” endpoint lacks rate limiting, CAPTCHA, or abuse prevention mechanisms. An unauthenticated attacker can repeatedly trigger password reset requests for the same email address, leading to a large number of password reset emails being sent in a short period. This can result in email flooding, user harassment, and denial of service (DoS) against user inboxes, potentially causing financial and reputational damage. Recommendations Update Budibase to version 3.23.25 or later.

**Name of the Vulnerable Software and Affected Versions** Budibase (affected versions not specified) **Description** The platform exhibits a combination of Vertical Privilege Escalation and Insecure Direct Object Reference (IDOR) due to missing server-side Role-Based Access Control (RBAC) checks in the `/api/global/users` endpoints. A Creator-level user can perform actions beyond their authorized permissions, such as promoting an App Viewer to Tenant Admin, demoting a Tenant Admin to App Viewer, or modifying the Owner’s account details and all orders. This is possible because the API accepts these actions without validating the requesting role, allowing a Creator to replay Owner-only requests using their own session tokens, potentially leading to full tenant compromise. IDOR, or Insecure Direct Object Reference, is a type of access control issue that allows attackers to bypass authorization checks by directly manipulating object identifiers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.26.4 **Description** Budibase is a low code platform used for building internal tools, workflows, and admin panels. A Creator-level user, normally lacking UI permissions to invite users, can manipulate API requests to invite new users with any role – including Admin, Creator, or App Viewer – and assign them to any group within the organization. This enables full privilege escalation, bypassing UI restrictions, potentially leading to complete workspace or organization takeover. The API endpoint used for user invitation is susceptible to manipulation. The vulnerable request allows bypassing intended access controls. **Recommendations** Update Budibase to version 3.26.4 or later.