Merge pull request #43 from AikidoSec/intel-new-vul-improper-auth-nic…

…egui New Vuln: Improper Auth in NiceGUI (python)
AikidoSec · Jan 7, 2025 · 378d964 · 378d964
2 parents f5b5be0 + 1fa6784
commit 378d964
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/vulnerabilities/AIKIDO-2025-10006.json b/vulnerabilities/AIKIDO-2025-10006.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "nicegui",
+  "patch_versions": [
+    "2.9.1"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.3.0",
+      "2.9.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-287"
+  ],
+  "tldr": "Affected versions of this package are affected by a broken access control due to inadequate isolation of session states across different browsers. When a user logs into one browser, they are automatically authenticated in all other browsers on the same device, including incognito mode, without needing to log in again. It may lead to unauthorized access, particularly when using shared or public devices.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `NiceGUI` library to the patch version.",
+  "vulnerable_to": "Improper Authentication",
+  "related_cve_id": "CVE-2025-21618",
+  "language": "python",
+  "severity_class": "HIGH",
+  "aikido_score": 75,
+  "changelog": "https://github.com/zauberzeug/nicegui/releases/tag/v2.9.1",
+  "last_modified": "2025-01-07",
+  "published": "2025-01-07"
+}