Lucene search

[email protected]NVD:CVE-2023-27485

HistoryMar 07, 2023 - 7:15 p.m.

CVE-2023-27485

2023-03-0719:15:12

CWE-863

[email protected]

web.nvd.nist.gov

thmmniii/fbs-core

unauthorized access

subresults

upgrade

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

32.5%

JSON

thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying subresults, it is possible to query subresults from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit f1ae67d8bb2and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

Nvd

Node

thmfeedbacksystemRange<1.5.3

VendorProductVersionCPE
thmfeedbacksystem*cpe:2.3:a:thm:feedbacksystem:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
thm	feedbacksystem	*	cpe:2.3:a:thm:feedbacksystem::::::::

References

github.com/thm-mni-ii/feedbacksystem/commit/f1ae67d8bb2286a8eb15949038473d41b1358493

github.com/thm-mni-ii/feedbacksystem/releases/tag/v1.5.3

github.com/thm-mni-ii/feedbacksystem/security/advisories/GHSA-fhq8-p3w6-mmgr

thm-mni-ii.github.io/feedbacksystem/api-docs/#tag/Submission/operation/getCourseTaskSubmissionSubresults

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

32.5%

JSON

Related for NVD:CVE-2023-27485

cve1 osv1 prion1 cvelist1