Incorrect access control allows users to edit discussions¶
Information¶
CVE Id: CVE-2020-25822
CVSS 3.0 Score: 4.3
Severity: Medium
CWE classification: CWE-273 - Incorrect Access Control
CVSS 3.0 string: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary¶
The discussions feature allows users to edit their own posts. Insufficient access control on the API endpoint used to edit posts allows other users (who have permission to comment and modify their posts) to modify posts of other users.
Affected Products¶
Dataiku DSS in versions before 8.0.2
Credits¶
This vulnerability was discovered by cobalt.io
Mitigation¶
Dataiku DSS 8.0.2 has been made available to customers to remediate this issue