What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Budibase to version 3.38.1 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in Budibase, an open-source low-code platform, in versions prior to 3.38.1. The issue is that the row action trigger endpoint does not properly validate whether the user-supplied rowId is within the scope of the view's row filters. As a result, a user who has access to a filtered view can trigger actions on any row in the underlying table, including rows that should be excluded by the view's security filters.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow a user with limited access to perform actions on data rows that they should not have access to. This means unauthorized access and modification of data could occur, potentially leading to data integrity issues and unauthorized information disclosure.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a user with access to a filtered view to trigger actions on any row in the underlying table, including rows that are explicitly excluded by the view's security filters.

Such unauthorized access to data outside the intended scope could lead to exposure or manipulation of sensitive information, potentially violating data protection requirements in standards like GDPR or HIPAA.

Therefore, this vulnerability may negatively impact compliance with regulations that mandate strict access controls and data privacy protections.

Useful 0 Not Useful 0