Vulnerability Details : CVE-2023-2260
Authorization Bypass Through User-Controlled Key in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304.
Products affected by CVE-2023-2260
- cpe:2.3:a:alf:alf:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-2260
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-2260
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
huntr.dev | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-2260
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by:
- nvd@nist.gov (Secondary)
- security@huntr.dev (Primary)
References for CVE-2023-2260
-
https://github.com/alfio-event/alf.io/commit/c9a16ab93d42b2beb06d529b57890121f85be6ef
Fix user admin check (#1206) - cherry-picked from 1852400f3472afa23b7… · alfio-event/alf.io@c9a16ab · GitHubPatch
-
https://huntr.dev/bounties/649badc8-c935-4a84-8aa8-d3269ac54377
IDOR Vulnerability Allow the owner of one Organization can create, edit, delete apikeys that belong to other organization vulnerability found in alf.ioExploit
Jump to