CVE-2021-29452

HIGH

a12n-server 0.18.0-0.18.1 - Authenticated Privilege Escalation via User Edit HAL-Form

Title source: llm

Description

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/curveball/a12n-server/security/advisories/GHSA-8hw9-22v6-9jr9

Various Sources x_refsource_misc

https://www.npmjs.com/package/%40curveball/a12n-server

Scores

CVSS v3 8.1

EPSS 0.0078

EPSS Percentile 51.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-269 CWE-863

Status published

Products (2)

curveball/a12n-server 0.18.0 - 0.18.2npm

curveballjs/a12n-server 0.18.0 - 0.18.2

Published Apr 16, 2021

Tracked Since Feb 18, 2026