ID CVE-2021-29452
Summary a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
References
Vulnerable Configurations
  • cpe:2.3:a:curveballjs:a12n-server:0.18.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:curveballjs:a12n-server:0.18.0:*:*:*:*:node.js:*:*
  • cpe:2.3:a:curveballjs:a12n-server:0.18.1:*:*:*:*:node.js:*:*
    cpe:2.3:a:curveballjs:a12n-server:0.18.1:*:*:*:*:node.js:*:*
CVSS
Base: 4.0 (as of 03-08-2022 - 10:17)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:S/C:N/I:P/A:N
Last major update 03-08-2022 - 10:17
Published 16-04-2021 - 22:15
Last modified 03-08-2022 - 10:17
Back to Top