The CloudExplorer Lite missing permissions check

Vulnerability

CloudExplorer Lite prior to version 1.1.0 fails to enforce organization and workspace permissions on the server side [1]. Although the user interface restricts visibility and selection, the backend does not validate whether a user belongs to a given organization when processing profile update requests. This allows a user to modify their own profile and choose any organization ID, regardless of their actual membership. The affected versions are all releases up to and including 1.0.2 [1].

Exploitation

An attacker must be an authenticated user with a valid account on a CloudExplorer Lite instance [1]. The attacker intercepts the HTTP request sent when updating their profile (e.g., changing their organization) using a tool such as Burp Suite. They replace the legitimate organization ID in the request with the ID of any other organization they wish to join. The server accepts the modified request without verifying the attacker's permission to select that organization, resulting in successful assignment to the target organization [1].

Impact

By exploiting this vulnerability, an attacker can arbitrarily add themselves to any organization or workspace within the CloudExplorer Lite deployment [1]. Depending on the permissions granted to members of that organization, the attacker may gain access to sensitive resources, modify configurations, or perform actions that should be restricted. The impact includes unauthorized information disclosure and potential privilege escalation within the affected organizations.

Mitigation

The vulnerability is fixed in CloudExplorer Lite version 1.1.0 [1]. Users are strongly advised to upgrade immediately, as there is no known workaround [1]. The repository has been archived and is now read-only [1]; however, the fix remains available in the v1.1.0 release.