GHSA-m6j4-8r7p-wpp3

Suggest an improvement
Source
https://github.com/advisories/GHSA-m6j4-8r7p-wpp3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-m6j4-8r7p-wpp3/GHSA-m6j4-8r7p-wpp3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m6j4-8r7p-wpp3
Aliases
Published
2021-10-06T17:46:55Z
Modified
2024-02-17T05:20:14.794285Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
BuddyPress privilege escalation via REST API
Details

Impact

It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint.

Patches

The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

References

https://buddypress.org/2021/03/buddypress-7-2-1-security-release/

For more information

If you have any questions or comments about this advisory: * Open an issue in HackerOne

Database specific
{
    "nvd_published_at": "2021-03-26T21:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-06T16:57:01Z"
}
References

Affected packages

Packagist / buddypress/buddypress

Package

Name
buddypress/buddypress
Purl
pkg:composer/buddypress/buddypress

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
7.2.1

Affected versions

5.*

5.0.0
5.1.0-beta1
5.1.0
5.1.1
5.1.2
5.2.0
5.2.1
5.2.2

6.*

6.0.0-beta1
6.0.0-beta2
6.0.0-RC1
6.0.0-RC2
6.0.0
6.1.0
6.2.0-beta1
6.2.0
6.3.0
6.4.0
6.4.2
6.4.3

7.*

7.0.0-beta1
7.0.0-beta2
7.0.0-RC1
7.0.0-RC2
7.0.0
7.1.0
7.2.0