Description
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Recommendation
Update the @curveball/a12n-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.18.0, < 0.18.2
- Patched version(s): 0.18.2
References
- GHSA-8hw9-22v6-9jr9
- www.npmjs.com
- CVE-2021-29452
- CWE-269
- CWE-863
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- Valid ECDSA signatures erroneously rejected in Elliptic - CVE-2024-48948
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Tags:
- npm
- @curveball/a12n-server
Anything's wrong? Let us know Last updated on January 27, 2023