CVE-2023-31445

Vulnerability

Cassia Access Controller versions before 2.1.1.2203171453 contain an unprivileged information disclosure vulnerability. The /admin/(userId)/edit endpoint lacks proper authorization checks, allowing a read-only user to access and modify the account details of any other user by supplying a different userId in the request. User IDs are predictable because they are based on UNIX timestamps of account creation, which can be obtained from logs that are also visible to read-only users [2][3].

Exploitation

An attacker with read-only access can first gather account creation timestamps from the logs, convert them to UNIX timestamps, and then use those timestamps as userId values in requests to the /admin/(userId)/edit endpoint. This enumeration can be performed manually or via brute-force, as the timestamps are easily guessable. No additional privileges or user interaction are required beyond the initial read-only account [2][3].

Impact

Successful exploitation allows a read-only user to enumerate all registered users and disclose sensitive information, including email addresses, phone numbers, and privilege levels. This information can be leveraged for targeted phishing campaigns or social engineering attacks against higher-privileged users [2][3].

Mitigation

The vulnerability is fixed in Cassia Access Controller version Cassia-AC-2.1.1.2207292123. Users should upgrade to this patched version or later. No workaround is documented; upgrading is the recommended action [2][3].