PT-2023-25178 · Remult · Remult
Chrisrimmer
·
Publicado
2023-06-20
·
Atualizado
2023-07-05
·
CVE-2023-35167
CVSS v3.1
5.0
Média
| Vetor | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Remult versions prior to 0.20.6
Description
The issue allows an attacker who knows the
id of an entity instance they are not authorized to access to gain read, update, and delete access to it. This occurs when the apiPrefilter option of the @Entity decorator is set to a function that returns a filter intended to prevent unauthorized access to data.Recommendations
For versions prior to 0.20.6, set the
apiPrefilter option to a filter object instead of a function as a workaround.
Update to version 0.20.6 to fix the issue.Exploit
Correção
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Remult