Name of the Vulnerable Software and Affected Versions loopback versions prior to 2.40.0 loopback versions prior to 3.22.0

Description The issue allows attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.

Recommendations For versions prior to 2.40.0, upgrade to version 2.40.0 or later For versions prior to 3.22.0, upgrade to version 3.22.0 or later