Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

User Settings should only be accessible to individual users or administrators #4878

Merged
merged 1 commit into from
Nov 27, 2024
Merged

User Settings should only be accessible to individual users or administrators #4878

merged 1 commit into from
Nov 27, 2024

Conversation

sbwalker
Copy link
Member

No description provided.

@sbwalker sbwalker merged commit cdd03bf into oqtane:dev Nov 27, 2024
@sbwalker
Copy link
Member Author

sbwalker commented Dec 23, 2024
edited
Loading

A CVE 2024-55470 has been attributed to this pull request:

"Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication."

Both the severity level and description of the vulnerability is inaccurate. Specifically, "attackers can bypass passcode validation and successfully log into the application" is 100% false. The security issue was investigated and feedback was provided to the contributor of the issue to dispute the issue, however they proceeded to publicize it anyways.

@sbwalker sbwalker mentioned this pull request Dec 23, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sbwalker