Summary
StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.
Details
The Issue:
The endpoint /dashboard/content-management/edit?edit={UUID} validates user authentication but does NOT validate:
- User role (should require Editor/Admin/Owner)
- Content ownership (should verify the draft belongs to the user)
This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.
PoC
- User A: Editor role (example username:
dummy04)
- User B: Visitor role (example username:
dummy01)
Reproduction Steps:
Step 1 - Create draft as Editor:
- Login as User A (Editor role)
- Navigate to:
http://localhost:4321/dashboard/content-management
- Create new content (it will stay as draft)
- After saving, note the UUID in the URL:
http://localhost:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148
Copy this UUID: bad87630-69a4-4cd6-bcb2-6965839dc148
Step 2 - Access draft as Visitor:
- Login as Visitor and get auth_session cookie
curl -X POST "http://127.0.0.1:4321/studiocms_api/auth/login" -F 'username=dummy01' -F 'password=dummy01pass$'
- Proof of Visitor permission
- Access Editor's draft using the UUID
curl "http://127.0.0.1:4321/dashboard/content-management/edit?edit=bad87630-69a4-4cd6-bcb2-6965839dc148" -H "Cookie: auth_session=qvawh6zv23hc2spu6xx7pzgrnn4rpd3q" -v
Result: Returns full HTML page with draft content (200 OK)
Impact
Impact Scenarios:
-
Information Disclosure:
- Visitor users can read unpublished drafts containing sensitive information
- Drafts may contain confidential business information, unreleased announcements, or proprietary content
- Competitive intelligence could be gathered from draft content
-
Privacy Violation:
- Personal notes, work-in-progress content, or internal communications in drafts exposed
- Violation of content creator privacy expectations
-
Business Impact:
- Premature disclosure of marketing campaigns, product launches, or announcements
- Loss of competitive advantage if draft strategies are exposed
- Potential compliance issues if drafts contain regulated information
-
Complete RBAC Bypass:
- The entire role-based access control system for draft content is bypassed
- "Visitor" role becomes equivalent to "Editor" for read access to drafts
- Undermines the trust model of multi-user content management
FilipeGaudard Reporter
Adammatthiesen Remediation developer
Summary
StudioCMS contains a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users.
Details
The Issue:
The endpoint
/dashboard/content-management/edit?edit={UUID}validates user authentication but does NOT validate:This allows users with "Visitor" role (lowest privilege) to access draft content created by Editor/Admin/Owner users by directly accessing the edit URL with the content UUID.
PoC
dummy04)dummy01)Reproduction Steps:
Step 1 - Create draft as Editor:
http://localhost:4321/dashboard/content-managementCopy this UUID:
bad87630-69a4-4cd6-bcb2-6965839dc148Step 2 - Access draft as Visitor:
Result: Returns full HTML page with draft content (200 OK)
Impact
Impact Scenarios:
Information Disclosure:
Privacy Violation:
Business Impact:
Complete RBAC Bypass: