Incorrect access control allows users to edit discussions
Information
-
CVE Id: CVE-2020-25822
-
CVSS 3.0 Score: 4.3
-
Severity: Medium
-
CWE classification: CWE-273 - Incorrect Access Control
-
CVSS 3.0 string: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The discussions feature allows users to edit their own posts. Insufficient access control on the API endpoint used to edit posts allows other users (who have permission to comment and modify their posts) to modify posts of other users.
Affected Products
Dataiku DSS in versions before 8.0.2
Credits
This vulnerability was discovered by cobalt.io
Mitigation
Dataiku DSS 8.0.2 has been made available to customers to remediate this issue