Vulnerability Description
thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient authorisation. This is only possible for logged-in users and it is not possible to associate the subresults with a specific user. This bug was fixed in commit `f1ae67d8bb2`and released with version 1.5.3. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thm | Feedbacksystem | < 1.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/thm-mni-ii/feedbacksystem/commit/f1ae67d8bb2286a8eb1594903847Patch
- https://github.com/thm-mni-ii/feedbacksystem/releases/tag/v1.5.3Release Notes
- https://github.com/thm-mni-ii/feedbacksystem/security/advisories/GHSA-fhq8-p3w6-PatchThird Party Advisory
- https://thm-mni-ii.github.io/feedbacksystem/api-docs/#tag/Submission/operation/gProduct
- https://github.com/thm-mni-ii/feedbacksystem/commit/f1ae67d8bb2286a8eb1594903847Patch
- https://github.com/thm-mni-ii/feedbacksystem/releases/tag/v1.5.3Release Notes
- https://github.com/thm-mni-ii/feedbacksystem/security/advisories/GHSA-fhq8-p3w6-PatchThird Party Advisory
- https://thm-mni-ii.github.io/feedbacksystem/api-docs/#tag/Submission/operation/gProduct
FAQ
What is CVE-2023-27485?
CVE-2023-27485 is a vulnerability with a CVSS score of 4.3 (MEDIUM). thmmniii/fbs-core is an open source feedback system for students. In versions prior to 1.5.3 when querying `subresults`, it is possible to query `subresults` from other users due to insufficient autho...
How severe is CVE-2023-27485?
CVE-2023-27485 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-27485?
Check the references section above for vendor advisories and patch information. Affected products include: Thm Feedbacksystem.