The consequences of this IDOR vulnerability were severe where attackers could manipulate deployment configurations, potentially gaining unauthorized access to sensitive resources. This vulnerability effectively allowed unauthorized users to perform administrative actions such as changing machine types, ports, and DNS configurations—actions that should have been restricted to high-privilege roles. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. By enforcing strict access controls and adopting secure-by-design principles, companies can safeguard their platforms from exploitation and build trust with their users. Furthermore, attackers may be able to escalate privileges or chain attacks for additional exploitation due to compromised configurations. However, due to improper implementation of access controls, unauthorized users could exploit the system by simply knowing a project’s unique identifier. Further, exploited configurations might enable attackers to escalate privileges or chain attacks for further exploitation. Specifically, the API lacked robust authorization checks, enabling any user—regardless of their role or authentication status—to send crafted requests and alter hosting settings. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. The vulnerability was rated as Critical (CVSS score 9.8) but later downgraded to High (8.8) due to assumptions about the difficulty of obtaining project IDs. Among its functionalities is the ability for users to configure web hosting settings for their projects. ExHub offers cloud hosting, project collaboration, and deployment features. The vulnerability resided in ExHub’s API for project deployment configuration.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 10:35:08 +0000