GHSA-jhq3-57xh-6643

Source

https://github.com/advisories/GHSA-jhq3-57xh-6643

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-jhq3-57xh-6643/GHSA-jhq3-57xh-6643.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jhq3-57xh-6643

Aliases

CVE-2018-3783

Published

2018-08-21T17:03:59Z

Modified

2023-11-01T04:49:30.242318Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Privilege Escalation due to Blind NoSQL Injection in flintcms

Details

Versions of flintcms before version 1.1.10 are vulnerable to account takeover due to blind MongoDB injection in the password reset.

Recommendation

Update to version 1.1.10 or later.

Database specific

{
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2020-06-16T21:43:33Z",
    "nvd_published_at": null
}

References

Affected packages

npm / flintcms

Package

Name: flintcms; View open source insights on deps.dev
Purl: pkg:npm/flintcms

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.10