KONGA 0.14.9 - Privilege Escalation (Exploit) ("Won CVE-2021-42192!")

Report Vulnerability

Product: KONGA 
Model:  0.14.9 
Vulnerability: Privilege Escalation
Impact: Full admin access (vertical privilege escalation)

Authentication: required 

Exploit Author: Fabricio Salomao (@_SOl0m0n) / Paulo Trindade (@paulotrindadec)

PoC

Bellow has created a normal user called "usernormal" without privilege.

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "TRUE".

Therefore was created an exploit for us : https://www.exploit-db.com/exploits/50521

After running the exploit, the privilege escalation was a success!

Result: