CVE-2023-25569

Name of the Vulnerable Software and Affected Versions Apollo versions prior to 2.1.0

Description A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. The issue is related to the Cookie SameSite strategy, which was set to Lax in version 2.1.0.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, avoid visiting unknown source pages to minimize the risk of exploitation.