RubySec

Providing security resources for the Ruby community

CVE-2021-25973 (publify-core): Improper Authorization in Publify

ADVISORIES

GEM

publify-core

SEVERITY

CVSS v3.x: 6.5 (Medium)

UNAFFECTED VERSIONS

  • < 9.0.0.pre1

PATCHED VERSIONS

  • >= 9.2.5

DESCRIPTION

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only.