CVE-2024-48827
published 2024-10-11CVE-2024-48827: An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.72%
84.2th percentile
An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sbond | watcharr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Privilege escalation is performed by POSTing {"permissions": 3} to /api/server/users/{user_id} with a forged JWT Authorization header. Monitor for POST requests to /api/server/users/* with permissions value 3, 6, or 9 from non-admin sessions. ↗
- →The exploit authenticates via POST to /api/auth/ to obtain a legitimate JWT, then immediately crafts a new token with userId=1. Correlate rapid sequential calls to /api/auth/ followed by /api/server/users/* from the same source IP. ↗
- →userId=1 is hardcoded as the admin account in Watcharr. Flag any JWT payload where userId is set to 1 but the originating login session belonged to a different userId. ↗
- ·Watcharr's JWT implementation does not enforce signature verification, allowing tokens to be decoded and re-encoded with an empty secret. This is the root cause enabling the privilege escalation — any deployment of Watcharr v1.43.0 and below is affected regardless of configuration. ↗
- ·Partial admin privileges can also be obtained using permissions values 6 or 9, not only 3. Detection rules should cover all three values. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-10-11
Published