CVE-2023-35937

Published: Jul 6, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

Affected (1)

Products: Metersphere: Metersphere

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Metersphere Metersphere	Before 2.10.2

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://github.com/metersphere/metersphere/security/advisories/GHSA-7xj3-qrx5-524r

Source: security-advisories@github.com

Exploit

https://github.com/metersphere/metersphere/security/advisories/GHSA-7xj3-qrx5-524r

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.