CVE-2023-50267

Published: Dec 28, 2023Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds.

Affected (1)

Products: Metersphere: Metersphere

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Metersphere Metersphere	Before 2.10.10

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9

Source: security-advisories@github.com

Vendor Advisory

https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.