CVE-2022-45178 Information

Description

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint the /settings/guest-settings endpoint the /settings/samlusers-settings endpoint and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user) including the administrator or create new users even without an admin role.

Reference

https://www.gruppotim.it/it/footer/red-team.html