Flag Forge Unauthenticated Badge Template API Access Vulnerability

A broken access control vulnerability has been identified in Flag Forge versions 2.0.0 prior to 2.3.2. The issue resides in the '/api/admin/badge-templates' (GET) and '/api/admin/badge-templates/create' (POST) endpoints, which previously allowed unauthenticated access. This vulnerability could have enabled unauthorized users to retrieve all badge templates along with sensitive metadata such as 'createdBy', 'createdAt', and 'updatedAt', or to create arbitrary badge templates in the database. The consequences of this vulnerability include data exposure, database pollution, and potential abuse of the badge system.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data and the injection of arbitrary badge templates, disrupting the integrity of the platform and eroding user trust.

Remediation

Users are advised to update to Flag Forge version 2.3.2 or later. Instructions for updating can be found in the Flag Forge GitHub repository.