CVE-2023-40020

Name of the Vulnerable Software and Affected Versions PrivateUploader versions prior to 3.2.49

Description PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions, the app/routes/v3/admin.controller.ts file did not correctly verify whether the user was an administrator or moderator, causing the request to continue processing. The response would be a 403 with ADMIN ONLY, however, next() would call, leading to any updates/changes in the route to process.

Recommendations For versions prior to 3.2.49, upgrade to version 3.2.49 to address the issue. As a temporary workaround, consider restricting access to the admin.controller.ts file until the upgrade is applied. There are no known workarounds for this issue other than upgrading to the fixed version.