CVE-2023-27485
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-27485
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27485.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-27485
- Aliases
-
- GHSA-fhq8-p3w6-mmgr
- Published
- 2023-03-07T18:26:11Z
- Modified
- 2025-10-30T20:19:19.140446Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Insufficient verification of authorisation when accessing subresults in thmmniii/fbs-core
- Details
-
thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying
subresults, it is possible to querysubresultsfrom other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commitf1ae67d8bb2and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue. - Database specific
{ "cwe_ids": [ "CWE-863" ] }- References
-
- https://github.com/thm-mni-ii/feedbacksystem/commit/f1ae67d8bb2286a8eb15949038473d41b1358493
- https://github.com/thm-mni-ii/feedbacksystem/releases/tag/v1.5.3
- https://github.com/thm-mni-ii/feedbacksystem/security/advisories/GHSA-fhq8-p3w6-mmgr
- https://thm-mni-ii.github.io/feedbacksystem/api-docs/#tag/Submission/operation/getCourseTaskSubmissionSubresults