Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2016-10611 Vulnerability in npm package strider-sauce

CVE-2023-30520 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger

CVE-2023-41900 Vulnerability in maven package org.eclipse.jetty:jetty-openid

CVE-2019-10248 Vulnerability in maven package org.eclipse.vorto:parent

CVE-2021-41164 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory