Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Scoold: Cross-Account Feedback Deletion (IDOR)
Vulnerability Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Scoold 安全漏洞
Vulnerability Description
Scoold是Erudika开源的一个团队问答和知识共享平台。 Scoold 1.66.1之前版本存在安全漏洞,该漏洞源于反馈删除功能存在身份验证后的授权缺陷,可能导致低权限用户删除其他用户的反馈。
CVSS Information
N/A
Vulnerability Type
N/A