CVE-2021-29452: 
JavaScript vulnerability analysis and mitigation

a12n-server is an npm package designed to provide a simple authentication system. In version 0.18.0, a vulnerability was discovered where a new HAL-Form feature for editing users was added, but the privileges were incorrectly checked, allowing any logged-in user to edit any other user's information. This vulnerability was identified on April 16, 2021, and affected versions from 0.18.0 to versions before 0.18.2 (GitHub Advisory).

The vulnerability (CVE-2021-29452) stems from an improper authorization implementation in the HAL-Form feature. The feature was intended to be restricted to administrators only, but due to incorrect privilege checking, it became accessible to any authenticated user. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH by GitHub, Inc., and 6.5 MEDIUM by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows any authenticated user to modify other users' information within the system, effectively bypassing the intended administrative access controls. This could lead to unauthorized modification of user data and potential privilege escalation scenarios (GitHub Advisory).

The vulnerability was patched in version 0.18.2 of the a12n-server package. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds were provided (GitHub Advisory, NPM Package).