flintcms@1.1.8 vulnerabilities

Content-Focused CMS built on Node.js

Direct Vulnerabilities

Known vulnerabilities in the flintcms package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Privilege Escalation

flintcms is a CMS built to be easy to use and super flexible.

Affected versions of this package are vulnerable to Privilege Escalation due to lack of user input sanitization in the route that verifies the password reset token. The value from the parameter is directly sent to the Mongoose API which allows a user to insert MongoDB query operators. These operators can be used to extract the value of the field blindly in the same manner of a blind SQL injection.

How to fix Privilege Escalation?

Upgrade flintcms to version 1.1.10 or higher.

<1.1.10