CVE-2021-25973 (publify_core): Improper Authorization in Publify

Improper Authorization in Publify

Published: November 03, 2021

SECURITY IDENTIFIERS

CVE: CVE-2021-25973 (NVD)
GHSA: GHSA-x24j-87x9-jvv5
Vendor Advisory: https://github.com/publify/publify/commit/3447e0241e921b65f6eb1090453d8ea73e98387e

GEM

publify_core

SEVERITY

CVSS v3.x: 6.5 (Medium)

UNAFFECTED VERSIONS

< 9.0.0.pre1

PATCHED VERSIONS

>= 9.2.5

DESCRIPTION

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only.

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973

RubySec