GHSA-j8cw-ppmv-wj85

Source

https://github.com/advisories/GHSA-j8cw-ppmv-wj85

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-j8cw-ppmv-wj85/GHSA-j8cw-ppmv-wj85.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j8cw-ppmv-wj85

Aliases

CVE-2023-50462

Published

2023-12-13T23:12:32Z

Modified

2024-11-30T05:44:12.727959Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Insecure Direct Object Reference in extension "Content Consent" (content_consent)

Details

The extension fails to verify whether a specified content element identifier is permitted by the plugin. This enables an unauthenticated user to display various content elements, leading to an insecure direct object reference (IDOR) vulnerability with the potential to expose internal content elements.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T23:12:32Z"
}

References

Affected packages

Packagist / t3s/content-consent

Package

Name: t3s/content-consent
Purl: pkg:composer/t3s/content-consent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.2

Affected versions

v2.*

v2.0.0

v2.0.1

Packagist / t3s/content-consent

Package

Name: t3s/content-consent
Purl: pkg:composer/t3s/content-consent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.3

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2