Skip to content

Latest commit

 

History

History
35 lines (27 loc) · 2.18 KB

CVE-2025-26201.md

File metadata and controls

35 lines (27 loc) · 2.18 KB

[CVE-2025-26201] - GreaterWMS - Authentication Bypass via Credential Disclosure

Exploit Author: Aurelien BOURDOIS

Date: 02/01/2025

Vendor: GreaterWMS

Issue: Issue 383

Vulnerable Version :

  • GreaterWMS <= 2.1.49

Description:

Credential disclosure vulnerabilty via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges.

Steps to Reproduce

  1. Go to the main page
  2. Intercept flaws with a tool like BurpSuite
  3. Insert random username and password, then press Login button Image

It is possible to retrieves all the OPENID availables (warehouse id) with the /warehouse/multiple GET request, even unauthenticated. Users are grouped by warehouse.

  1. On this interception, we can see that the OPENID value automatically inserted on the connection page appears in the token header. Image

  2. Put this request in the repeater, and then delete the staff_name and check_code parameters/values. It is then possible to retrieve all the users of this Center Warehouse (Token / OPENID value). Image

  3. If we wish, we can then filter using the staff_name and staff_type parameters. Image

  4. The attacker must then choose the user to impersonate, taking the values staff_name and check_code and placing them in the intercepted request. Image

  5. By sending this request, which had been intercepted during the authentication phase, the attacker is then authenticated as the chosen user. Image

Impact:

An unauthenticated attacker can impersonate all users.