Attack Chain

1. An attacker authenticates as a low-privileged backend user with the reports permission.
2. The attacker attempts to list available custom reports via the designated endpoint.
3. The server filters the list of reports based on sharing rules, excluding reports not explicitly shared with the user.
4. The attacker identifies a target report name through reconnaissance or other means.
5. The attacker crafts a direct request to the report detail endpoint, specifying the target report name.
6. The server checks only for generic reports permissions, bypassing the sharing rules enforced in the listing endpoint.
7. The server retrieves and returns the report configuration to the attacker.
8. The attacker gains unauthorized access to sensitive report metadata, including report name, data source configuration, and sharing settings.

Impact

Successful exploitation of this vulnerability allows unauthorized access to sensitive report metadata, including the report name, grouping information, display and icon metadata, data source configuration, column configuration, and sharing settings. This can lead to information disclosure and potentially further unauthorized actions, depending on the content of the reports. The source code suggests that other report endpoints like data, chart, create-csv, and download-csv might also be vulnerable due to similar resolution-by-name mechanisms.

Recommendation

• Deploy the Sigma rule Detect Pimcore CustomReports Share Bypass to your SIEM to identify requests to the report detail endpoint (getAction) for reports that are not listed as accessible to the user.
• Review and audit all custom report sharing configurations to ensure proper access controls are in place.
• Investigate other potentially vulnerable report endpoints, such as data, chart, create-csv, and download-csv, for similar access control bypass issues.