CVE-2025-62721
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkace | linkace | to 2.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In LinkAce versions 2.3.1 and below, the authenticated RSS feed endpoints in the FeedController class do not properly check user authorization. This means any authenticated user can access all links, lists, and tags from every user in the system, regardless of ownership or visibility settings. This flaw allows unauthorized access to other users' data. The issue is fixed in version 2.4.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of all users' links, lists, and tags within the LinkAce system to any authenticated user. It compromises data confidentiality and privacy by allowing users to access information they should not have permission to see.
What immediate steps should I take to mitigate this vulnerability?
Upgrade LinkAce to version 2.4.0 or later, as this version fixes the authorization issue in the FeedController class. Until the upgrade, restrict authenticated user access to the RSS feed endpoints to trusted users only.