Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-29452 Vulnerability in npm package a12n-server

Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

Remediation

References

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

https://www.npmjs.com/package/%40curveball/a12n-server

Related Vulnerabilities

CVE-2022-23461 Vulnerability in maven package org.webjars.npm:jodit

CVE-2016-1000229 Vulnerability in maven package org.webjars:swagger-ui

CVE-2021-21165 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-16145 Vulnerability in npm package sspa

CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.diguoyihao:layui

Severity

High

Classification

CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Third Party Advisory