Description
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Recommendation
Update the @curveball/a12n-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.18.0, < 0.18.2
- Patched version(s): 0.18.2
References
- GHSA-8hw9-22v6-9jr9
- www.npmjs.com
- CVE-2021-29452
- CWE-269
- CWE-863
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- Valid ECDSA signatures erroneously rejected in Elliptic - CVE-2024-48948
- cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
- [email protected] contains malware after npm account takeover - CVE-2025-59144
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Tags:
- npm
- @curveball/a12n-server
Anything's wrong? Let us know Last updated on January 27, 2023