CVE-2021-46561
HIGHCVE Services API 1.1.1 - Incorrect Authorization via User Account Transfer
Title source: llmDescription
controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achieve unintended access within the context of that new organization.
References (1)
Core 1
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/CVEProject/cve-services/commit/5c50baf3bda28133a3bc90b854765a64fb538304
Scores
CVSS v3
7.2
EPSS
0.0084
EPSS Percentile
53.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (1)
mitre/cve_services
1.1.1
Published
Jan 26, 2022
Tracked Since
Feb 18, 2026