3 matches found
malla: Stored XSS via Meshtastic node names in multiple frontend pages
Node names longname, shortname received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor. Affecte...
PT-2026-46117
Node names long name, short name received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor...
PT-2024-31388 · Unknown · Meshtastic
Name of the Vulnerable Software and Affected Versions: Meshtastic device firmware versions prior to 2.4.1 Description: The Meshtastic device firmware is subject to a denial of service vulnerability in MQTT handling. This issue is fixed in version 2.4.1 of the Meshtastic firmware and on the...