Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2021-43838 Vulnerability in npm package jsx-slack

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2020-7788 Vulnerability in maven package org.webjars.bowergithub.npm:ini

CVE-2022-38900 Vulnerability in maven package org.webjars.npm:decode-uri-component

CVE-2019-10768 Vulnerability in maven package org.webjars.bowergithub.angular:angular

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory