PT-2023-25178 · Remult · Remult
Chrisrimmer
·
Published
2023-06-20
·
Updated
2023-07-05
·
CVE-2023-35167
CVSS v3.1
5.0
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Remult versions prior to 0.20.6
Description
The issue allows an attacker who knows the
id of an entity instance they are not authorized to access to gain read, update, and delete access to it. This occurs when the apiPrefilter option of the @Entity decorator is set to a function that returns a filter intended to prevent unauthorized access to data.Recommendations
For versions prior to 0.20.6, set the
apiPrefilter option to a filter object instead of a function as a workaround.
Update to version 0.20.6 to fix the issue.Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Remult