CVE-2019-18642 – CVE-2019-18642 allows account takeover in Rock ... (How to Fix)

Q: What is the severity of CVE-2019-18642?

CVE-2019-18642 has a CVSS score of 9.8 (CRITICAL). CVE-2019-18642 allows account takeover in Rock RMS by tampering with user ID parameters in profile updates. Any authenticated user can change any other user's email address, including administrators, enabling password reset attacks. This affects Rock RMS versions before 8.6.

📋 TL;DR

CVE-2019-18642 allows account takeover in Rock RMS by tampering with user ID parameters in profile updates. Any authenticated user can change any other user's email address, including administrators, enabling password reset attacks. This affects Rock RMS versions before 8.6.

💻 Affected Systems

Products:

Rock RMS

Versions: All versions before 8.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments with default configurations; requires authenticated access but minimal privileges.

📦 What is this software?

Rock Rms by Sparkdevnetwork

View all CVEs affecting Rock Rms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via administrator account takeover, leading to data theft, privilege escalation, and full control of the Rock RMS instance.

🟠

Likely Case

Unauthorized access to user accounts, data exposure, and potential lateral movement within the system.

🟢

If Mitigated

Limited impact if proper input validation and authorization checks are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but minimal technical skill; public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.6

Vendor Advisory: https://github.com/SparkDevNetwork/Rock/releases/tag/v8.6

Restart Required: Yes

Instructions:

1. Backup your Rock RMS database and files. 2. Download Rock RMS version 8.6 or later from the official repository. 3. Follow the upgrade instructions in the Rock RMS documentation. 4. Restart the application server.

🔧 Temporary Workarounds

Input Validation and Authorization Check

all

Implement server-side validation to ensure users can only modify their own profile data.

Not applicable - requires code changes

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests with tampered user ID parameters.
Monitor and alert on unusual profile update activities, especially email changes for multiple accounts.

🔍 How to Verify

Check if Vulnerable:

Check Rock RMS version via admin panel or by examining the application files; versions below 8.6 are vulnerable.

Check Version:

Check the version in the Rock RMS admin interface or review the application's version file.

Verify Fix Applied:

After upgrading to 8.6 or later, test that profile update requests with modified user IDs are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple profile update requests from a single user targeting different user IDs
Email change requests for accounts not owned by the requester

Network Indicators:

HTTP POST requests to profile update endpoints with modified user_id parameters

SIEM Query:

source="rock_rms_logs" AND (event="profile_update" AND user_id != session_user_id)

📊 Metadata

CVE ID: CVE-2019-18642

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: January 7, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/160766/Rock-RMS-File-Upload-Account-Takeover-Information-Disclosure.html Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON