studiocms 0.4.2

Direct Vulnerabilities

Known vulnerabilities in the studiocms package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Authorization Bypass Through User-Controlled Key studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the `getUsers` process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, and email addresses, by supplying a crafted `rank` query parameter while authenticated as an admin. This allows bypassing intended authorization boundaries and retrieving privileged user data. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `studiocms` to version 0.4.4 or higher.	<0.4.4
M Incorrect Privilege Assignment studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the `RestApiSecureHandler` user creation flow in `frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts`. An attacker can achieve persistence by creating peer admin accounts through the REST API while authenticated with an existing admin token. How to fix Incorrect Privilege Assignment? Upgrade `studiocms` to version 0.4.3 or higher.	<0.4.3
M Authorization Bypass Through User-Controlled Key studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `updateUserNotifications` handler in `frontend/pages/studiocms_api/_handlers/dashboard/users.ts`. An attacker can disable any user’s notification preferences, including admins`, by making authenticated requests that include an arbitrary` id` in the payload instead of their own. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `studiocms` to version 0.4.3 or higher.	<0.4.3
M Authorization Bypass Through User-Controlled Key studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the `create-reset-link` process. An attacker can gain unauthorized access to higher-privileged accounts by generating a password reset token for any user, including those with greater privileges, and then resetting their password using the token. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `studiocms` to version 0.4.3 or higher.	<0.4.3

Vulnerability

Vulnerable Version

Authorization Bypass Through User-Controlled Key

studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account information, such as IDs, usernames, display names, and email addresses, by supplying a crafted rank query parameter while authenticated as an admin. This allows bypassing intended authorization boundaries and retrieving privileged user data.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade studiocms to version 0.4.4 or higher.

<0.4.4

Incorrect Privilege Assignment

studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community.

Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the RestApiSecureHandler user creation flow in frontend/pages/studiocms_api/_handlers/rest-api/v1/secure.ts. An attacker can achieve persistence by creating peer admin accounts through the REST API while authenticated with an existing admin token.

How to fix Incorrect Privilege Assignment?

Upgrade studiocms to version 0.4.3 or higher.

<0.4.3

Authorization Bypass Through User-Controlled Key

studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the updateUserNotifications handler in frontend/pages/studiocms_api/_handlers/dashboard/users.ts. An attacker can disable any user’s notification preferences, including admins, by making authenticated requests that include an arbitrary id` in the payload instead of their own.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade studiocms to version 0.4.3 or higher.

<0.4.3

Authorization Bypass Through User-Controlled Key

studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a password reset token for any user, including those with greater privileges, and then resetting their password using the token.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade studiocms to version 0.4.3 or higher.

<0.4.3

studiocms@0.4.2

A Community-Driven Astro native CMS. Built from the ground up by the Astro community.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically