CVE-2022-31007

Name of the Vulnerable Software and Affected Versions eLabFTW versions prior to 4.3.0

Description The issue allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights.

Recommendations For versions prior to 4.3.0, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider removing the ability of administrators to create accounts until the issue is resolved.