Feedbacksystem
CVE-2023-27485
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying subresults, it is possible to query subresults from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit f1ae67d8bb2and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue.
AnalysisAI
thmmniii/fbs-core is an open source feedback system for students. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying subresults, it is possible to query subresults from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit f1ae67d8bb2and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Thm Feedbacksystem. Version information: prior to 1.5.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Feedbacksystem
View allSame weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today