Описание
Any logged in user could edit any other logged in user.
Impact
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Patches
Patched in v0.18.2
Пакеты
Наименование
@curveball/a12n-server
npm
Затронутые версииВерсия исправления
>= 0.18.0, < 0.18.2
0.18.2
Связанные уязвимости
CVSS3: 8.1
nvd
почти 5 лет назад
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.