Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HomeBox has Unauthorized API Access via Retained defaultGroup ID After Group Access Revocation
Vulnerability Description
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the access revocation and prevented the user from viewing or modifying the group's contents, the API did not. Because the original group ID persisted as the user's defaultGroup, and this value was not properly validated when the X-Tenant header was omitted, the user could still perform full CRUD operations on the group's collections through the API, bypassing the intended access controls. This issue has been fixed in version 0.25.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
不正确的属主授予
Vulnerability Title
HomeBox 安全漏洞
Vulnerability Description
HomeBox是SysAdmins Media开源的一个为家庭用户构建的库存和组织系统。 HomeBox 0.25.0之前版本存在安全漏洞,该漏洞源于defaultGroup ID在用户被邀请到组后永久分配,即使其访问权限被撤销,API也未正确验证,可能导致绕过访问控制。
CVSS Information
N/A
Vulnerability Type
N/A