Type Casting Attack

Affecting yourls/yourls package, versions >=0.0.0

Do your applications use this vulnerable package? Test your applications

Overview

yourls/yourls is a is a set of PHP scripts that allow you to run Your Own URL Shortener.

Affected versions of this package are vulnerable to Type Casting Attack. Non-strict comparisions can be used by an attacker to bypass auth and gain access to the admin page and API.

Remediation

A fix was pushed into the master branch but not yet published.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Wocanilo
CVE
CVE-2019-14537
CWE
CWE-704
Snyk ID
SNYK-PHP-YOURLSYOURLS-458753
Disclosed
07 Aug, 2019
Published
08 Aug, 2019