An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3Z2Mtamp2di1jdjZ2

Improper Authorization in loopback

Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.


For loopback 2.x, upgrade to version 2.40.0 or later For loopback 3.x, upgrade to version 3.22.0 or later

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 9 months ago

Identifiers: GHSA-8wgc-jjvv-cv6v

Affected Packages

Versions: >= 3.0.0, <= 3.21.0, <= 2.39.2
Fixed in: 3.22.0, 2.40.0