MEDIUM 6.5
PYSEC-2026-767
Access control issue in AlekSIS-Core
Details
An access control issue in aleksis/core/util/auth_helpers.py: ClientProtectedResourceMixin of AlekSIS-Core v2.8.1 and below allows attackers to access arbitrary scopes if no allowed scopes are specifically set.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-29773 [ADVISORY]
- https://aleksis.org/2022-05-04_advisory.html [WEB]
- https://edugit.org/AlekSIS/official/AlekSIS-Core [PACKAGE]
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/commit/0d39d5f566e1d916e3c8dedd3f5bd62161f30bd8 [WEB]
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/issues/688 [WEB]
- https://edugit.org/AlekSIS/official/AlekSIS-Core/-/merge_requests/1011 [WEB]
- https://pypi.org/project/aleksis-core [PACKAGE]
- https://github.com/advisories/GHSA-76x2-h8h3-cwjg [ADVISORY]