CVE-2024-42759 Approval of your own ticket with BFLA
# Exploit Title: Approval of your own ticket with BFLA
# Google Dork: N/A
# Date: 22/01/2024
# Exploit Author: Thiago Miranda de Paula - dTMP3st
# Vendor Homepage: https://ellevo.com/
# Software Link: N/A
# Version: 6.2.0.38160
# Tested on: Kali Linux / Burp Suite
# CVE : CVE-2024-42759
After testing, it was possible to conclude that Ellevo’s call tracking platform has a BFLA item where it is possible to bypass the manager’s approval controls, which allows customers already authenticated on the platform to approve their own open call, after defining themselves as substitutes for themselves. This happens by calling the substitute registration endpoint in the application’s API, where it is possible to define any substitute X for any employee Y, and this employee can be their own substitute. In this way, the “approver” body field is defined with the login of the current approver who wants to approve the ticket and the “substitute” field is defined with the login of the employee who will perform the approval on their own ticket. After that, the “startdate” and “enddate” body fields must also be filled in to define from time to time the change will be maintained in the format YYYY-MM-DDTHH:MM:SS.000z. After changing the necessary substitutes, simply open the desired ticket and the approvals will be carried out automatically, as the account that opened the ticket is the same one responsible for carrying out the approval process.
Steps to Reproduce:
- Map the login of the default approver of the desired ticket.
- Manipulate the API endpoint by informing the login of the desired approver of the ticket and insert my login as an alternate.
- Inform the start and end date for the change made.
- Open the ticket.
After these steps, the ticket will be approved automatically without needing to go through the correct approver, who will certainly be the immediate superior.
Broken Functionality Level Authorization (BFLA) is a vulnerability that allows unauthorized access to certain functionalities or resources within an application. This can occur when an application does not properly validate user privileges or roles, allowing a user to access functionality they are not authorized to use.