CVE-2023-40020
- Source
- https://cve.org/CVERecord?id=CVE-2023-40020
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40020.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-40020
- Aliases
-
- GHSA-vhrw-2472-rrjx
- Published
- 2023-08-14T20:03:10.231Z
- Modified
- 2026-04-02T09:18:01.535194Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
- Summary
- Improper Authentication in PrivateUploader
- Details
-
PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions
app/routes/v3/admin.controller.tsdid not correctly verify whether the user was an administrator (High Level) or moderator (Low Level) causing the request to continue processing. The response would be a 403 with ADMIN_ONLY, however, next() would call leading to any updates/changes in the route to process. This issue has been addressed in version 3.2.49. Users are advised to upgrade. There are no known workarounds for this vulnerability. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-287" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40020.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40020.json
- https://github.com/PrivateUploader/PrivateUploader/security/advisories/GHSA-vhrw-2472-rrjx
- https://nvd.nist.gov/vuln/detail/CVE-2023-40020
- https://github.com/PrivateUploader/PrivateUploader/commit/869657d61e3c7a518177106fe63ea483082b0d3e