Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls · CVE-2019-14537 · GitHub Advisory Database · GitHub

Access of Resource Using Incompatible Type ('Type Confusion') in yourls/yourls

Critical severity GitHub Reviewed Published Sep 22, 2019 in YOURLS/YOURLS • Updated Jan 11, 2023

Package

yourls/yourls (Composer)

Affected versions

< 1.7.4

Patched versions

1.7.4

Description

Type juggling vulnerability in the API

Impact

YOURLS through 1.7.3 is affected by a type juggling vulnerability in the API component that can result in login bypass.

Patches

https://github.com/YOURLS/YOURLS/releases/tag/1.7.4
YOURLS/YOURLS#2542

References

For more information

If you have any questions or comments about this advisory:

Open an issue in YOURLS repository

References

ozh published to YOURLS/YOURLS

Sep 22, 2019

Published to the GitHub Advisory Database Sep 23, 2019

Reviewed Jun 16, 2020

Last updated Jan 11, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H