Unit4 Financials by Coda, a widely-used financial management software, plays an essential role in streamlining financial processes for businesses and institutions. This software has been discovered to have a potentially dangerous vulnerability; specifically, in versions prior to 2023Q4. An authenticated user can abuse this vulnerability to modify the password of any other user within the application via a carefully crafted request.

This blog post will delve deep into the CVE-2024-28735 vulnerability, discussing affected components, its potential impact, and the feasible solutions to this security flaw. Additionally, the post will share a code snippet illustrating the vulnerability at work and provide links to original references and exploit details.

Overview of CVE-2024-28735

This vulnerability lies in the incorrect access control mechanism within Unit4 Financials by Coda, leading to an authorization bypass. If successfully executed, it allows an attacker with limited access (authenticated user) to change the password of any other user within the application, including administrators. This exposes the affected software to the risk of unauthorized access, and malicious actors can potentially compromise sensitive data.

Technical Details

The password modification feature in Unit4 Financials by Coda uses a particular POST request for updating user passwords. This request has insufficient access controls, allowing an authenticated user to change the password of another user by simply modifying the user ID in the request. The following code snippet demonstrates how this is done:

POST /unit4Financial/change_password.php HTTP/1.1
Host: vulnerable.example.com
Content-Type: application/x-www-form-urlencoded

user_id=TARGET_USER_ID&current_password=ATTACKERS_PASSWORD&new_password=NEW_PASSWORD

In this code snippet, the attacker only needs to change the TARGET_USER_ID to that of the victim, while keeping their password (ATTACKERS_PASSWORD) and the desired new password (NEW_PASSWORD). The request will bypass the access control and modify the targeted user's password without proper authorization.

Affected Components and Impact

The vulnerability affects Unit4 Financials versions prior to 2023Q4, in the incorrect access control system. While it requires the attacker to have an authenticated account within the application, the potential consequences can be severe, including unauthorized access, data manipulation, and information leakage.

This vulnerability was assigned the CVE-2024-28735 identifier. For more information, refer to the following links:

- CVE details
- Unit4 Financials Security Advisory
- NIST National Vulnerability Database

To address this security flaw, users of Unit4 Financials by Coda are advised to

1. Upgrade to the latest version (2023Q4 or later) as soon as possible, which includes necessary security patches to fix the incorrect access control vulnerability.

Keep abreast of and promptly apply any security updates released by Unit4.

4. Implement an intrusion detection system to monitor server logs for anomalous behavior tied to potential unauthorized access attempts.

Conclusion

CVE-2024-28735 is a crucial vulnerability in Unit4 Financials by Coda that can lead to damaging consequences for businesses relying on the software. This blog post has provided a comprehensive overview of the security flaw, code snippet examples, relevant links to original references, and effective mitigation strategies. By staying informed and diligently updating their software, users of Unit4 Financials can ensure robust security and consistently safeguard their financial data.

Timeline

Published on: 03/20/2024 15:15:07 UTC
Last modified on: 08/01/2024 13:49:15 UTC