References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-863

https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39

https://github.com/leepeuker/movary/pull/749

https://github.com/leepeuker/movary/releases/tag/0.71.1

https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w