Do your applications use this vulnerable package?
Test your applications
Overview
loopback
is an Open Source Framework for Node.js.
Affected versions of the package are vulnerable to Authentication Bypass. It allowes users to change Admin's password by using their regular access token in case they have the same id and the same password.
Remediation
Upgrade loopback
to version 3.16.2 or higher.
References
CVSS Score
5.3
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityLow
-
AvailabilityNone
- Credit
- Unknown
- CWE
- CWE-592
- Snyk ID
- npm:loopback:20171027
- Disclosed
- 26 Oct, 2017
- Published
- 06 Mar, 2018