Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in looks_awesome Team Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team Builder: from n/a through 1.5.7.
AnalysisAI
Missing Authorization vulnerability (CWE-862) in looks_awesome Team Builder versions up to 1.5.7 that allows authenticated attackers to exploit misconfigured access control security levels to gain unauthorized access to sensitive functionality. An attacker with valid credentials can bypass intended authorization checks to read, modify, or delete data they should not have access to. The CVSS 7.6 score reflects the combination of low attack complexity, authenticated access requirement, and moderate-to-high impact on confidentiality and integrity.
Technical ContextAI
This vulnerability stems from improper implementation of role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms within the looks_awesome Team Builder application. CWE-862 (Missing Authorization) indicates that the application fails to perform authorization checks before allowing access to sensitive operations or resources. The vulnerability affects all versions from an unspecified baseline through version 1.5.7, suggesting a systematic authorization flaw rather than a single code path issue. The CVSS vector (PR:L) confirms that the vulnerability requires low-privilege authenticated access, meaning the authorization framework likely fails to properly validate user permissions at the business logic layer, potentially in API endpoints, workflow operations, or team management features within Team Builder.
RemediationAI
Immediate actions: (1) Upgrade looks_awesome Team Builder to version 1.5.8 or later if available, which should include authorization controls fixes; (2) Review and audit current access control configurations within Team Builder, particularly role definitions, permission matrices, and team membership assignments to identify overly-permissive settings; (3) Implement least-privilege principle for Team Builder user roles, ensuring users have only the minimum permissions necessary for their function; (4) Enable and review audit logging for sensitive Team Builder operations (read, write, delete) to detect potential exploitation; (5) Restrict network access to Team Builder administration interfaces and sensitive APIs using network segmentation or WAF rules; (6) Conduct access control reviews focusing on team leaders, administrators, and service accounts that may have elevated privileges. Consult the looks_awesome security advisory for specific patch availability and deployment instructions.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17509