Joshk

**Name of the Vulnerable Software and Affected Versions** nerves-hub nerves hub web versions 1.0.0 through 2.3.9 **Description** An improper authorization issue exists in nerves-hub nerves hub web that allows cross-organization device control through device bulk actions and the device update API. Missing authorization checks in the device bulk actions and device update API endpoints permit authenticated users to target devices belonging to other organizations and perform actions beyond their authorized access level. An attacker can manipulate device identifiers to select devices outside of their organization and perform management actions, potentially interfering with firmware updates, accessing device functionality, or disrupting device connectivity. In environments with remote console access enabled, this could lead to full compromise of affected devices. **Recommendations** Update nerves-hub nerves hub web to version 2.4.0 or later.