Anders Märak Leffler

#10984of 53,633
25.1Total CVSS
Vulnerabilities · 3
Medium
1
High
1
Critical
1
PT-2022-20454
6.5
2022-05-31
Elabftw · Elabftw · CVE-2022-31007
**Name of the Vulnerable Software and Affected Versions** eLabFTW versions prior to 4.3.0 **Description** The issue allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. **Recommendations** For versions prior to 4.3.0, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider removing the ability of administrators to create accounts until the issue is resolved.
PT-2021-23964
8.8
2021-12-15
Elabftw · Elabftw · CVE-2021-43833
Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 4.2.0 Description: The issue allows any authenticated user to gain access to arbitrary accounts by setting a specially crafted email address, impacting instances without an explicit email domain name allowlist. Administrators and targeted users are not notified of account changes. An attacker needs to control an account to exploit this. The default settings require administrators to validate newly created accounts. Recommendations: For versions prior to 4.2.0, upgrade to at least version 4.2.0 to resolve the issue. For users unable to upgrade, enable an email domain allow list from the Sysconfig panel, Security tab, to completely resolve the issue.
PT-2021-23965
9.8
2021-12-15
Elabftw · Elabftw · CVE-2021-43834
Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 4.2.0 Description: The issue allows an attacker to authenticate as an existing user if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the local password mechanism. Recommendations: For versions prior to 4.2.0, upgrade to at least version 4.2.0 to resolve the issue. As a temporary workaround, consider restricting the use of single sign-on authentication options until the upgrade is applied.