Описание
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
Ссылки
- Third Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.18.0 (включая) до 0.18.2 (исключая)
cpe:2.3:a:curveballjs:a12n-server:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 48%
0.00248
Низкий
8.1 High
CVSS3
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-269
CWE-863
Связанные уязвимости
CVSS3: 8.1
github
почти 5 лет назад
Any logged in user could edit any other logged in user.
EPSS
Процентиль: 48%
0.00248
Низкий
8.1 High
CVSS3
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-269
CWE-863