Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2023-36106 Vulnerability in maven package tech.powerjob:powerjob

CVE-2021-41164 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

CVE-2020-7628 Vulnerability in npm package umount

CVE-2019-15596 Vulnerability in npm package statics-server

CVE-2022-29647 Vulnerability in maven package net.mingsoft:ms-mcms

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory