GitHub_MCVELIST:CVE-2021-29452CVE-2021-29452 Any logged in user could edit any other logged in user.
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.9%
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
CNA Affected
[
{
"product": "a12n-server",
"vendor": "curveball",
"versions": [
{
"status": "affected",
"version": ">= 0.18 < 0.18.2"
}
]
}
]Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.5 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.9%