CVE-2024-47210 is a privilege escalation vulnerability identified in Gladys Assistant, an open-source home automation platform. The issue exists in versions prior to 4.45.1 and stems from insufficient validation of the req.body.role parameter in the updateMySelf function located in server/api/controllers/user.controller.js. This function is responsible for allowing users to update their own profile information. However, due to improper access control checks, an authenticated user can manipulate the role field in the request body to assign themselves higher privileges, such as administrator roles. This vulnerability violates the principle of least privilege and can lead to unauthorized access to sensitive functions and data. The CVSS 3.1 base score of 8.8 reflects the vulnerability’s high impact on confidentiality, integrity, and availability, with an attack vector over the network, low attack complexity, and no user interaction required. Although no public exploits have been reported yet, the vulnerability’s nature makes it a significant risk for any deployment of affected Gladys Assistant versions. The CWE-400 tag appears to be a misclassification, as CWE-400 typically relates to resource exhaustion; the core issue here is improper authorization and privilege escalation.

If exploited, this vulnerability allows an authenticated user to escalate their privileges arbitrarily, potentially gaining administrative control over the Gladys Assistant system. This can lead to unauthorized access to all connected smart devices, manipulation of automation rules, exposure of sensitive user data, and disruption of home automation services. The attacker could disable security features, add or remove devices, or execute commands that compromise the confidentiality, integrity, and availability of the system. For organizations or individuals relying on Gladys Assistant for critical home or office automation, this could result in significant operational disruption and privacy breaches. The ease of exploitation combined with the high impact makes this a serious threat, especially in environments where multiple users have access to the system but are expected to have limited roles.

To mitigate this vulnerability, organizations should immediately upgrade Gladys Assistant to version 4.45.1 or later where the issue is patched. If upgrading is not immediately possible, implement strict network segmentation and access controls to restrict authenticated user access to trusted individuals only. Review and harden API endpoint permissions, ensuring that role changes cannot be performed by users on their own accounts without proper authorization checks. Employ application-layer firewalls or API gateways to monitor and block suspicious requests attempting to modify user roles. Conduct regular audits of user roles and permissions to detect unauthorized changes. Additionally, enable detailed logging and alerting on user role modifications to facilitate rapid detection and response. Educate users about the risks of privilege escalation and enforce strong authentication mechanisms to reduce the risk of compromised accounts being used to exploit this vulnerability.