Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NErudika Scoold
APPErudika< 1.66.2
Powiązane podatności
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found...
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size ...
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authen...
Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vul...
Business Logic Errors in GitHub repository erudika/para prior to 1.45.11.