An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-29773
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/688
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/commit/0d39d5f566e1d916e3c8dedd3f5bd62161f30bd8
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/merge_requests/1011
- https://github.com/advisories/GHSA-76×2-h8h3-cwjg