CVE-2022-45292 : User invites for Funkwhale v1.2.8 do not permanently expire after being used for

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.

Published 2022-12-09 22:15:11

Updated 2022-12-13 00:36:18

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-45292

Funkwhale » Funkwhale » Version: 1.2.8
cpe:2.3:a:funkwhale:funkwhale:1.2.8:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE-672 Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Assigned by: nvd@nist.gov (Primary)

https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1952

Funkwhale invites do not permanently expire after being used for signup and can be used again if the user is deleted (#1952) · Issues · funkwhale / funkwhale · GitLab
Exploit;Issue Tracking;Vendor Advisory

Jump to