As you can see in timeline I discover this issue in 2014.
Last time when I contact with developers, they told me that “they will recheck this issue”.
But in the meantime sarimkiani find it too and publish details on GitHub.
You can find my orginal post here. You can check time signature for it using this file.
Every registered user can change every account because
Request::post('user_id') is used instead of
$id inside update statement.
So if we know current admin id we can takeover this account.
Proof of Concept:
- 01-12-2014: Discovered
- 01-12-2014: Vendor notified
- 26-02-2015: Second notification
- 29-01-2016: Third notification
- 05-04-2016: Version 3.0.4 released, issue resolved