Lucene search

[email protected]NVD:CVE-2023-40020

HistoryAug 14, 2023 - 9:15 p.m.

CVE-2023-40020

2023-08-1421:15:13

CWE-287

[email protected]

web.nvd.nist.gov

cve-2023-40020

vue

typescript

user privilege verification

vulnerability

update

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions app/routes/v3/admin.controller.ts did not correctly verify whether the user was an administrator (High Level) or moderator (Low Level) causing the request to continue processing. The response would be a 403 with ADMIN_ONLY, however, next() would call leading to any updates/changes in the route to process. This issue has been addressed in version 3.2.49. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

troploprivateuploaderRange<3.2.49

VendorProductVersionCPE
troploprivateuploader*cpe:2.3:a:troplo:privateuploader:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
troplo	privateuploader	*	cpe:2.3:a:troplo:privateuploader::::::::

References

github.com/PrivateUploader/PrivateUploader/commit/869657d61e3c7a518177106fe63ea483082b0d3e

github.com/PrivateUploader/PrivateUploader/security/advisories/GHSA-vhrw-2472-rrjx

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

Related for NVD:CVE-2023-40020

cvelist1 prion1 osv1 cve1