Moderate severityNVD Advisory· Published Mar 21, 2023· Updated Feb 26, 2025

Business Logic Errors in answerdev/answer

CVE-2023-1542

Description

Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A business logic flaw in answer platform before 1.0.6 allowed administrators to modify their own account status, bypassing intended restrictions.

Root

Cause

CVE-2023-1542 is a business logic error in the answer Q&A platform prior to version 1.0.6. The flaw lies in the admin user management functionality, where the UpdateUserStatusReq schema originally did not track which user (the requesting admin) was performing the status change. This allowed an administrator to modify their own account status (e.g., suspend themselves) without proper checks [1][3].

Exploitation

To exploit this vulnerability, an authenticated attacker with administrative privileges could craft a request to change their own user status to 'deleted' or 'suspended', thereby bypassing the intended restriction that prevents admins from altering their own status. The attack does not require any special network access beyond the normal administrative API endpoint [1][3].

Impact

An attacker who gains admin credentials could abuse this flaw to lock themselves out of the system or potentially to cover their tracks by deleting their own account. More critically, it could allow an attacker to grant themselves elevated or unusual permissions by manipulating status values outside the intended business logic, undermining the integrity of the platform's user management [1].

Mitigation

The issue was fixed in commit 4ca2429 by adding a LoginUserID field (tagged as json:"-" so it is not sent by the client) to track the requesting user and enforce that admins cannot change their own status [3][4]. Users should upgrade to answer 1.0.6 or later to receive the patch [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/answerdev/answerGo	< 1.0.6	1.0.6

Affected products

ghsa-coords
pkg:golang/github.com/answerdev/answer
Range: < 1.0.6
answerdev/answerdev/answerv5
Range: unspecified

Patches

4ca2429d190a

fix(admin): add restriction about admin modify their status

https://github.com/answerdev/answerLinkinStarsFeb 23, 2023via ghsa

commit

5 files changed · +12 −4

i18n/en_US.yaml+2 −0 modified

@@ -37,6 +37,8 @@ backend:
     admin:
       cannot_update_their_password:
         other: You cannot modify your password.
+      cannot_modify_self_status:
+        other: You cannot modify your status.
       email_or_password_wrong:
         other: Email and password do not match.
     answer:

internal/base/reason/reason.go+1 −0 modified

@@ -65,4 +65,5 @@ const (
 	NotAllowedRegistration           = "error.user.not_allowed_registration"
 	SMTPConfigFromNameCannotBeEmail  = "error.smtp.config_from_name_cannot_be_email"
 	AdminCannotUpdateTheirPassword   = "error.admin.cannot_update_their_password"
+	AdminCannotModifySelfStatus      = "error.admin.cannot_modify_self_status"
 )

internal/controller_admin/user_backyard_controller.go+2 −0 modified

@@ -34,6 +34,8 @@ func (uc *UserAdminController) UpdateUserStatus(ctx *gin.Context) {
 		return
 	}
 
+	req.LoginUserID = middleware.GetLoginUserIDFromContext(ctx)
+
 	err := uc.userService.UpdateUserStatus(ctx, req)
 	handler.HandleResponse(ctx, err, nil)
 }

internal/schema/backyard_user_schema.go+3 −4 modified

@@ -2,10 +2,9 @@ package schema
 
 // UpdateUserStatusReq update user request
 type UpdateUserStatusReq struct {
-	// user id
-	UserID string `validate:"required" json:"user_id"`
-	// user status
-	Status string `validate:"required,oneof=normal suspended deleted inactive" json:"status" enums:"normal,suspended,deleted,inactive"`
+	UserID      string `validate:"required" json:"user_id"`
+	Status      string `validate:"required,oneof=normal suspended deleted inactive" json:"status" enums:"normal,suspended,deleted,inactive"`
+	LoginUserID string `json:"-"`
 }
 
 const (

internal/service/user_admin/user_backyard.go+4 −0 modified

@@ -61,6 +61,10 @@ func NewUserAdminService(
 
 // UpdateUserStatus update user
 func (us *UserAdminService) UpdateUserStatus(ctx context.Context, req *schema.UpdateUserStatusReq) (err error) {
+	// Admin cannot modify their status
+	if req.UserID == req.LoginUserID {
+		return errors.BadRequest(reason.AdminCannotModifySelfStatus)
+	}
 	userInfo, exist, err := us.userRepo.GetUserInfo(ctx, req.UserID)
 	if err != nil {
 		return

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r95w-7cpx-h5mxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1542ghsaADVISORY
github.com/answerdev/answer/commit/4ca2429d190a6e614f5bbee1173c80a7cffcc568ghsaWEB
huntr.dev/bounties/d947417c-5a12-407a-9a2f-fa696f65126fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000