Labcup · Labcup · CVE-2021-33031
**Name of the Vulnerable Software and Affected Versions**
LabCup versions prior to 6.3.0.03
**Description**
The issue allows unauthorized actions to be performed by users without access to user management, potentially leading to account takeover. An attacker can change another user's email address if they know specific details about the victim, such as roles, group roles, ID, and remote authentication ID settings, which are sent in a modified save API request to the "save API" endpoint.
**Recommendations**
For versions prior to 6.3.0.03, update to version 6.3.0.03 to resolve the issue. As a temporary workaround, consider restricting access to the save API endpoint until the update is applied.