Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2.
The server-side (backend) authorization mechanism incorrectly implements access control for accounts that have not yet completed the verification process and have PENDING status. In accordance with CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-863 (Incorrect Authorization), the application does not properly enforce access restrictions at the server level. An attacker can register an account for their own organization or user, and then—without approval by an administrator—gain access to resources or operations for which they should not have permissions.
An attacker without any permissions and without user interaction can gain unauthorized access to data and functions of the Dataspace management system, including potentially reading and modifying data both within their own context and connected systems.
Update Data Space Portal to version 7.3.2 or newer, in which the vulnerability has been patched. Details available in the official release: https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2
Data Space Portal in versions from 2.1.1 to before 7.3.2 (dataspace-portal backend).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X