Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges.

Recommendation

For loopback 2.x, upgrade to version 2.40.0 or later
For loopback 3.x, upgrade to version 3.22.0 or later

References

• https://loopback.io/doc/en/lb2/Security-advisory-08-08-2018.html]
• https://loopback.io/doc/en/lb3/Security-advisory-08-08-2018.html]
• https://www.npmjs.com/advisories/771
• https://github.com/strongloop/loopback