CVE-2021-35970

Опубликовано: 30 июн. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-mail addresses and other sensitive information via GraphQL because permission checks use an incorrect data type.

Ссылки

https://docs.coralproject.net/coral/api/graphql/#User
Exploit
Vendor Advisory
https://github.com/coralproject/talk/compare/v4.12.0...v4.12.1
Patch
Third Party Advisory
https://github.com/coralproject/talk/issues/3600
Exploit
Third Party Advisory
https://github.com/coralproject/talk/pull/3599
Patch
Third Party Advisory
https://docs.coralproject.net/coral/api/graphql/#User
Exploit
Vendor Advisory
https://github.com/coralproject/talk/compare/v4.12.0...v4.12.1
Patch
Third Party Advisory
https://github.com/coralproject/talk/issues/3600
Exploit
Third Party Advisory
https://github.com/coralproject/talk/pull/3599
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:voxmedia:coral_talk:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.12.1 (исключая)

EPSS

Процентиль: 69%

0.00609

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-697

Связанные уязвимости

GHSA-pf66-8v2r-m3jq