CVE-2025-1007

In OpenVSX version v0.9.0 to v0.20.0, the 
/user/namespace/{namespace}/details API allows a user to edit all 
namespace details, even if the user is not a namespace Owner or 
Contributor. The details include: name, description, website, support 
link and social media links. The same issues existed in 
/user/namespace/{namespace}/details/logo and allowed a user to change 
the logo.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
eclipseCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
eclipseopen_vsx
0.9.0 ≤
𝑥
< 0.19.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/eclipse/openvsx/security/advisories/GHSA-wc7c-xq2f-qp4h