CVE-2013-3703 HIGH

CVE-2013-3703: No write permission check in change_role command

Vendor Opensuse

Product Open Build Service

Weakness CWE-862 · Missing authorization

Published June 8, 2018

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.

Key dates

02Disclosure timeline

June 8, 2018 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2013-3703 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-29001 WordPress WooCommerce Shop Page Builder plugin <= 2.27.7 - Broken Access Control Vulnerability CVE-2023-40678 WordPress Simple URLs plugin <= 117 - Broken Access Control vulnerability CVE-2026-27687 Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal CVE-2026-3649 Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action CVE-2023-3352 Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion