CVE-2024-25108: Pixelfed doesn't check OAuth Scopes in API routes, giving elevated permissions
(updated )
When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server.
This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists.
References
- github.com/advisories/GHSA-gccq-h3xj-jgvf
- github.com/pixelfed/pixelfed
- github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037
- github.com/pixelfed/pixelfed/commit/fd7f5dbb
- github.com/pixelfed/pixelfed/commit/fd7f5dbba13818f60d1c2b3ab110b499e996aa81
- github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf
- nvd.nist.gov/vuln/detail/CVE-2024-25108
Code Behaviors & Features
Detect and mitigate CVE-2024-25108 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →