CVE-2021-25973 (publify_core): Improper Authorization in Publify

November 3rd, 2021

ADVISORIES

CVE-2021-25973 (NVD)
GHSA-x24j-87x9-jvv5
Vendor Advisory

GEM

publify_core

SEVERITY

CVSS v3.x: 6.5 (Medium)

UNAFFECTED VERSIONS

< 9.0.0.pre1

PATCHED VERSIONS

>= 9.2.5

DESCRIPTION

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973

RubySec