CVE-2024-47210

Name of the Vulnerable Software and Affected Versions Gladys Assistant versions prior to 4.45.1

Description The issue allows a user to change their own role, resulting in privilege escalation. This is possible because the req.body.role can be used in the updateMySelf function in server/api/controllers/user.controller.js.

Recommendations For versions prior to 4.45.1, update to version 4.45.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the updateMySelf function in server/api/controllers/user.controller.js to prevent exploitation. Additionally, avoid using the req.body.role variable in the affected API endpoint until the issue is resolved.