Beware! Vulnerability Allows Non-Admin Users to Gain Admin Access in FacileManager Web App Suite

CVECVE-2024-24573
CVSScvssV3_1: 8.8
SourceCVE-2024-24573

FacileManager is a popular web app suite used by system administrators to manage servers and infrastructure. Unfortunately, a high severity vulnerability was discovered that could allow non-admin users to gain full admin access.

The issue arises in versions 4.5.0 and earlier of FacileManager. When a user updates their profile, there is a POST request sent to a backend processing script. Attackers discovered they could manipulate this request to arbitrarily set their user permissions to the highest “super user” level, even if they only had a regular non-admin account.

This type of privilege escalation vulnerability is very dangerous as it completely bypasses the normal access controls of the system. An attacker could use social engineering or other techniques to trick a non-admin user into performing some action that triggers the vulnerable profile update code. Once they have admin access, sensitive data and systems would be fully compromised.

The best way users can protect themselves is to immediately update FacileManager to the latest version, which has fixed this security issue. Administrators should also carefully review the permissions and activities of any accounts, in case some were compromised before the update. Being vigilant about applying patches is crucial for any software system, to ensure the latest fixes for vulnerabilities are always in place.

References