CVE-2023-28686 — Authorization Bypass Through User-Controlled Key in Dino

CWE-639 — Authorization Bypass Through User-Controlled Key5 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 55.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dino Debian Dino-im Debian Linux +1 more

Timeline

PublishedMar 24

Latest updateApr 9

Description

Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶NVDdino/dino0.3.0 — 0.3.2+2

▶debiandebian/dino-im< dino-im 0.4.2-1 (bookworm)

Also affects: Debian Linux 10.0, 11.0, 12.0, Fedora 36, 37, 38

Patches

Patch: dino.im ↗Patch: dino.im ↗

🔴Vulnerability Details

GHSA

GHSA-xxch-mf4j-qcvj: Dino before 0↗2023-03-24

▶

OSV

CVE-2023-28686: Dino before 0↗2023-03-24

▶

📋Vendor Advisories

Ubuntu

Dino vulnerability↗2025-04-09

▶

Debian

CVE-2023-28686: dino-im - Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers t...↗2023

▶