Vulnerability	Vulnerable Version
M Authorization Bypass Through User-Controlled Key @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the `getUsers` process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, and email addresses, by supplying a crafted `rank` query parameter while authenticated as an admin. This allows bypassing intended authorization boundaries and retrieving privileged user data. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `@withstudiocms/api-spec` to version 0.3.2 or higher.	<0.3.2
M Authorization Bypass Through User-Controlled Key @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the `create-reset-link` process. An attacker can gain unauthorized access to higher-privileged accounts by generating a password reset token for any user, including those with greater privileges, and then resetting their password using the token. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `@withstudiocms/api-spec` to version 0.3.2 or higher.	<0.3.2

Authorization Bypass Through User-Controlled Key

@withstudiocms/api-spec is an API Specification for StudioCMS

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, and email addresses, by supplying a crafted rank query parameter while authenticated as an admin. This allows bypassing intended authorization boundaries and retrieving privileged user data.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade @withstudiocms/api-spec to version 0.3.2 or higher.

<0.3.2

Authorization Bypass Through User-Controlled Key

@withstudiocms/api-spec is an API Specification for StudioCMS

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a password reset token for any user, including those with greater privileges, and then resetting their password using the token.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade @withstudiocms/api-spec to version 0.3.2 or higher.

<0.3.2

Go back to all versions of this package