CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts.
{ "nvd_published_at": "2022-11-22T01:15:00Z", "cwe_ids": [ "CWE-287", "CWE-862" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-02-02T16:59:55Z" }