PT-2024-2061 · Pixelfed · Pixelfed
Thisismissem
·
Published
2024-02-12
·
Updated
2024-10-11
·
CVE-2024-25108
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Pixelfed versions 0.10.4 through 0.11.9
Description
The issue arises from improper and insufficient authorization checks when processing requests, allowing attackers to access more functionality than intended, including administrative and moderator features. This affects every local user of a Pixelfed server and potentially impacts the server's ability to federate. Some user interaction is required to set up the conditions for the vulnerability, but attackers can conduct the attack in a time-delayed manner without active user interaction. A proof of concept exists, and the vulnerability has been addressed in version 0.11.11.
Technical details about exploitation include:
- API Endpoints: For example,
/api/admin/config/updatecan be exploited with areadscoped access token to perform administrative actions. - Vulnerable Parameters or Variables: Access tokens with
readscope can be used to perform actions requiring higher-privilege scopes, such asfolloworadmin:write. - Function Names: The vulnerability exploits the improper checking of OAuth Application/Client permissions, allowing access to unauthorized functionality.
Recommendations
- For versions 0.10.4 through 0.11.9, upgrade to version 0.11.11 to address the vulnerability.
- As a temporary workaround, consider restricting access to administrative and moderator functionality until the upgrade can be applied.
- Avoid using access tokens with broad scopes, and regularly review and revoke unused access tokens to minimize the risk of exploitation.
Exploit
Fix
Incorrect Authorization
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pixelfed