Description
Everyone who is running a12n-server.
A new HAL-Form was added to allow editing users. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
Recommendation
Update the @curveball/a12n-server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.18.0, < 0.18.2
- Patched version(s): 0.18.2
References
- GHSA-8hw9-22v6-9jr9
- www.npmjs.com
- CVE-2021-29452
- CWE-269
- CWE-863
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A4
- OWASP 2021-A6
Related Issues
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate - CVE-2021-21413
- LiveQuery publishes user session tokens in parse-server - CVE-2021-41109
- jquery.terminal self XSS on user input - CVE-2021-43862
- Tags:
- npm
- @curveball/a12n-server
Anything's wrong? Let us know Last updated on January 27, 2023