SB2023072763 - Improper access control in Tolgee



SB2023072763 - Improper access control in Tolgee

Published: July 27, 2023 Updated: June 2, 2026

Security Bulletin ID SB2023072763
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper access control (CVE-ID: CVE-2023-38510)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to modify data they have no access to.

The vulnerability exists due to improper access control in some backend endpoints when handling requests authenticated with an API key. A remote user can send requests using an API key to modify data they have no access to.

This issue affects endpoints where the backend does not verify the permission scopes associated with the API key.


Remediation

Install update from vendor's website.