When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id
- Severity:
- Medium
Description
If you used the apiPrefilter option of the @Entity decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id of an entity instance she is not authorized to access, can gain read, update and delete access to it.
Recommendation
Update the remult package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.20.6
- Patched version(s): 0.20.6
References
Related Issues
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) 2 - CVE-2024-28176
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- remult
Anything's wrong? Let us know Last updated on November 09, 2023