Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-32316: Users can add themselves to any organization in CloudExplorer Lite

CloudExplorer Lite is an open source cloud management tool. In affected versions users can add themselves to any organization in CloudExplorer Lite. This is due to a missing permission check on the user profile. It is recommended to upgrade the version to v1.1.0. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#git

Impact

Users can add themselves to any organization in CloudExplorer Lite

The reproduction steps are as follows:

  1. User 1 belongs to organization team1 and does not belong to team2.
  2. User 1 modifies their own profile.
  3. On the interface, user 1 can only see team1 when modifying their organization.
  4. However, we intercepted the request using burpsuite and replaced the ID of team1 in the request with team2.
  5. Continue execution and find that it can be executed successfully.
  6. The reason is that although we ensure that team2 is not visible on the interface, the server did not check whether user1 can choose team2.

Reproduction video:
https://1drv.ms/v/s ! Avwg5C1eKVA4girUgKWl9SQX543P? e=N1ZU47

Affected versions: <= 1.0.2.

Patches

The vulnerability has been fixed in v1.1.0.

Workarounds

It is recommended to upgrade the version to v1.1.0.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at [email protected]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE