SB2023072763 - Improper access control in Tolgee
Published: July 27, 2023 Updated: June 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2023-38510)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to modify data they have no access to.
The vulnerability exists due to improper access control in some backend endpoints when handling requests authenticated with an API key. A remote user can send requests using an API key to modify data they have no access to.
This issue affects endpoints where the backend does not verify the permission scopes associated with the API key.
Remediation
Install update from vendor's website.