We found results for “”
WS-2023-0260
Good to know:
Date: July 20, 2023
In the settings of a Mozilla Hub, an admin user can disable the creation an object or move deny to move any object. This is bypassable with the usage of certain /<commands> inside the chat feature. An attacker does not to be authenticated nor have joined the room to perform this attack. With some JavaScript magic, they can trick the browser thinking we are in the room, which we are not. An attacker is able to place different kinds of objects while the admin user specifically disables the creation of objects inside the room. The server does not validate the access control rules of the room when calling the websockets requests to create an object.
Language: JS
Severity Score
Severity Score
Weakness Type (CWE)
Improper Access Control
CWE-284Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | HIGH |
Availability (A): | NONE |