Home > Vulnerability Database > CVE-2023-40020

Mend.io Vulnerability Database

CVE-2023-40020

Date: August 14, 2023

PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions `app/routes/v3/admin.controller.ts` did not correctly verify whether the user was an administrator (High Level) or moderator (Low Level) causing the request to continue processing. The response would be a 403 with ADMIN_ONLY, however, next() would call leading to any updates/changes in the route to process. This issue has been addressed in version 3.2.49. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: TYPE_SCRIPT

Severity Score

8.3

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40020

Url: https://github.com/PrivateUploader/PrivateUploader/commit/869657d61e3c7a518177106fe63ea483082b0d3e

Url: https://github.com/PrivateUploader/PrivateUploader/security/advisories/GHSA-vhrw-2472-rrjx

Url: https://www.mend.io/vulnerability-database/CVE-2023-40020

Severity Score

8.3

Weakness Type (CWE)

Authentication Issues

CWE-287

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40020

Date: August 14, 2023

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?