CVE-2025-62721

Опубликовано: 04 нояб. 2025

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists, and tags from all users in the system, regardless of their ownership or visibility settings. This issue is fixed in version 2.4.0.

Ссылки

https://github.com/Kovah/LinkAce/commit/1fef32694cee2bd80892fb478416be9364c3fddd
Patch
https://github.com/Kovah/LinkAce/releases/tag/v2.4.0
Release Notes
https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96
Exploit
Vendor Advisory
https://github.com/Kovah/LinkAce/security/advisories/GHSA-47g2-qw6q-cr96
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linkace:linkace:*:*:*:*:*:*:*:*

Версия до 2.4.0 (исключая)

EPSS

Процентиль: 13%

0.00042

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo