Member privilege escalation and deactivated user authentication bypass #600
Description
Summary
Two security vulnerabilities discovered in Kener status page:
1. Member Role Privilege Escalation (CWE-862: Improper Authorization)
The updateMonitoringData endpoint lacks the AdminEditorCan role check that is present on all adjacent actions. This allows members (lower-privilege role) to falsify monitoring data and metrics, compromising the integrity of status pages.
Vulnerability Pattern: Adjacent endpoints correctly enforce AdminEditorCan role check. updateMonitoringData is the only action missing this validation.
Impact: Members can falsify monitoring data to show services as healthy when they're down, or vice versa. Complete loss of status page integrity.
2. Deactivated User Authentication Bypass (CWE-613: Insufficient Session Expiration)
Neither the login endpoint nor session validation checks the is_active field. Deactivated users can continue to log in and maintain full system access using their existing credentials.
Vulnerability Pattern: Deactivation sets is_active=false but no authentication logic validates this field.
Impact: Deactivated accounts (terminated employees, revoked access) can still access the system with full privileges.
Severity
Medium - Both vulnerabilities allow unauthorized actions after role/account status change.
Recommended Fixes
- Add AdminEditorCan role check to updateMonitoringData (match pattern used in adjacent endpoints)
- Validate is_active during login and session validation
- Consider implementing session invalidation on user deactivation
Please consider enabling GitHub's private security advisory reporting for faster responsible disclosure.