Impact
If you used the apiPrefilter option of the @Entity decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the id of an entity instance she is not authorized to access, can gain read, update and delete access to it.
Patches
The issue is fixed in version 0.20.6
Workarounds
Set the apiPrefilter option to a filter object instead of a function.
References
If you're using a minor version < 0.20 and require a patch, please create an issue.
ChrisRimmer Reporter
Impact
If you used the apiPrefilter option of the
@Entitydecorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows theidof an entity instance she is not authorized to access, can gain read, update and delete access to it.Patches
The issue is fixed in version 0.20.6
Workarounds
Set the
apiPrefilteroption to a filter object instead of a function.References
If you're using a minor version < 0.20 and require a patch, please create an issue.