GHSA-qcqv-38jg-2r43
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qcqv-38jg-2r43
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-qcqv-38jg-2r43/GHSA-qcqv-38jg-2r43.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qcqv-38jg-2r43
- Published
- 2022-09-15T03:21:41Z
- Modified
- 2024-12-06T05:27:05.199086Z
- Summary
- Pageflow vulnerable to insecure direct object reference in membership update endpoint
- Details
-
Impact
Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the
managerrole to (including their own). While theEntitydropdown select field is greyed out in the UI, an attacker can use tools which allow sending arbitrary HTTP request to craft a request to the/admin/users/{user_id}/memberships/{membership_id}endpoint containing an additionalmembership[entity_id]parameter. This parameter is honored when the membership is updated, allowing an attacker to update the membership object associated with their own account (withmanagerrole) to be associated with a different attacker-chosen account instead. Sinceaccount_ids are enumerable, an attacker can compromise all accounts present on the platform.Mitigation
Upgrade to version 15.7.1 or 14.5.2 of the
pageflowgem.For more information
If you have any questions or comments about this advisory email us at info(at)codevise.de
Credits
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:21:41Z" }- References
Affected packages
RubyGems / pageflow
Package
- Name
- pageflow
- Purl
- pkg:gem/pageflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed14.5.2
Affected versions
0.*
12.*
13.*
14.*
RubyGems / pageflow
Package
- Name
- pageflow
- Purl
- pkg:gem/pageflow