Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2021-25991
Date: December 29, 2021
Details
There is an improper access control issue which makes it possible for admins to self ban themselves leading to their deactivation from Ifme account and complete loss of admin access to Ifme.PoC Details
In the private window, access the application by going to http://localhost:3000/users/sign_in and login with credentials of a normal user. Go to http://localhost:3000/allies and search for the admin’s email address. Now, press on “Add to allies” for the admin profile. In the normal window login as admin and accept the ally request. Now in the private window, as the normal user, go to Ally > Admin profile and then click report > add some reason and submit it. Go back to the normal window as admin, go to http://localhost:3000/admin_dashboard and click “Ban User” over Admin User. We see that the admin account gets deactivated from the account and can’t be recovered.Affected Environments
v5.0.0–v7.32Prevention
Update to version v7.32.1 or laterLanguage: Ruby
Good to know:
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Network |
| Attack Complexity (AC): | Low |
| Privileges Required (PR): | Low |
| User Interaction (UI): | Required |
| Scope (S): | Unchanged |
| Confidentiality (C): | None |
| Integrity (I): | High |
| Availability (A): | High |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Medium |
| Authentication (AU): | Single |
| Confidentiality (C): | None |
| Integrity (I): | Partial |
| Availability (A): | Partial |
| Additional information: |