CVE-2022-35135

Vulnerability

Boodskap IoT Platform v4.4.9-02 contains an authentication bypass vulnerability in its REST API. The /api/user/upsert/ endpoint processes requests without verifying a valid session cookie or API key, allowing any attacker to modify user profiles including role assignments. The platform does not enforce authentication on API requests, which is also demonstrated by a related issue (CVE-2022-35136) covering unauthenticated API access [1].

Exploitation

An attacker can exploit this by sending a crafted POST request to the /api/user/upsert/ endpoint with a blank Cookie header. The request body can include arbitrary user data, such as setting the "roles":["admin"] field. No prior authentication, user interaction, or network position beyond network access to the platform is required [1].

Impact

Successful exploitation grants the attacker administrative privileges on the IoT platform. This leads to full control over user accounts, device configurations, and sensitive data managed by the platform. The compromise severity is high due to the complete loss of confidentiality, integrity, and availability of the system [1].

Mitigation

As of the publication date (2022-10-13), no patch or fixed version has been released by the vendor. The platform remains vulnerable. Users should isolate the platform from untrusted networks and implement network-level access controls as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].