GHSA-mrq8-53r4-3j5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-mrq8-53r4-3j5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-mrq8-53r4-3j5m/GHSA-mrq8-53r4-3j5m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mrq8-53r4-3j5m
Aliases
Published
2022-02-10T22:35:39Z
Modified
2023-11-08T04:00:11.520787Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Permissive parameters and privilege escalation
Details

An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherencefields data. For example, users can automatically confirm their accounts by sending the confirmedat parameter with their registration request.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2022-01-27T20:15:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Hex / coherence

Package

Name
coherence
Purl
pkg:hex/coherence

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.2