Description
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Recommendation
Update the @curveball/a12n-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.18.0, < 0.18.2
- Patched version(s): 0.18.2
References
- GHSA-8hw9-22v6-9jr9
- www.npmjs.com
- CVE-2021-29452
- CWE-269
- CWE-863
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate - CVE-2021-21413
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings - CVE-2026-32104
- LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
You might also like:
- Tags:
- npm
- @curveball/a12n-server
Anything's wrong? Let us know Last updated on January 27, 2023


