Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Vulnerability Description
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided password verification is skipped; there is no check for input.id === ctx.id (ownership verification). This could result in any authenticated user modifying other users' passwords, direct escalation to superadmin, and complete account takeover. This issue has been patched in version 1.8.4.
CVSS Information
N/A
Vulnerability Type
使用候选路径或通道进行的认证绕过
Vulnerability Title
Blinko 安全漏洞
Vulnerability Description
Blinko是Blinko开源的一款基于人工智能的卡片式笔记应用,专为想要快速捕捉和整理转瞬即逝的灵感的用户而设计。 Blinko 1.8.4之前版本存在安全漏洞,该漏洞源于upsertUser端点缺少超级管理员中间件、密码验证和所有权检查,可能导致任意经过身份验证的用户修改其他用户密码、直接提升为超级管理员以及完全账户接管。
CVSS Information
N/A
Vulnerability Type
N/A