CVE-2023-0944

Name of the Vulnerable Software and Affected Versions Bhima version 1.27.0

Description The issue allows an authenticated attacker with regular user permissions to update arbitrary user session data, including username, email, and password. This is due to the application being vulnerable to Insecure Direct Object Reference (IDOR), which means it does not correctly validate user permissions for certain actions.

Recommendations For Bhima version 1.27.0, consider restricting access to user session data until a patch is available. As a temporary workaround, limit the ability of regular users to update sensitive information such as username, email, and password.