CVE-2025-1007
Feb. 19, 2025, 9:15 a.m.
None
No Score
Description
In OpenVSX version v0.9.0 to v0.20.0, the
/user/namespace/{namespace}/details API allows a user to edit all
namespace details, even if the user is not a namespace Owner or
Contributor. The details include: name, description, website, support
link and social media links. The same issues existed in
/user/namespace/{namespace}/details/logo and allowed a user to change
the logo.
Product(s) Impacted
| Product | Versions |
|---|---|
| OpenVSX |
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-283
Unverified Ownership
The product does not properly verify that a critical resource is owned by the proper entity.
Tags
Date
- Published: Feb. 19, 2025, 9:15 a.m.
- Last Modified: Feb. 19, 2025, 9:15 a.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
emo@eclipse.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.