Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Scoold has an Authenticated Arbitrary Question Overwrite via Client-Controlled postId in POST /questions/ask
Vulnerability Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Scoold 安全漏洞
Vulnerability Description
Scoold是Erudika开源的一个团队问答和知识共享平台。 Scoold 1.66.2之前版本存在安全漏洞,该漏洞源于存在授权缺陷,可能导致低权限用户覆盖其他用户的问题。
CVSS Information
N/A
Vulnerability Type
N/A