The (1) reports API and (2) administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ushahidi_platform | Ushahidi | * | 2.4.1 (including) |
| Ushahidi_platform | Ushahidi | 1.0 (including) | 1.0 (including) |
| Ushahidi_platform | Ushahidi | 1.2 (including) | 1.2 (including) |
| Ushahidi_platform | Ushahidi | 2.0 (including) | 2.0 (including) |
| Ushahidi_platform | Ushahidi | 2.1 (including) | 2.1 (including) |
| Ushahidi_platform | Ushahidi | 2.2 (including) | 2.2 (including) |
| Ushahidi_platform | Ushahidi | 2.2.1 (including) | 2.2.1 (including) |
| Ushahidi_platform | Ushahidi | 2.3.1 (including) | 2.3.1 (including) |
| Ushahidi_platform | Ushahidi | 2.3.2 (including) | 2.3.2 (including) |
| Ushahidi_platform | Ushahidi | 2.4 (including) | 2.4 (including) |