OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption

Summary In openclaw MS Teams file-consent flow, pending uploads were authorized by uploadId alone. fileConsent/invoke did not verify the invoke conversation against the conversation that created the pending upload. Impact An attacker who obtained a valid uploadId within TTL could trigger...

CVE-2022-22916

O2OA v6.4.7 was discovered to contain a remote code execution RCE vulnerability via /xprogramcenter/jaxrs/invoke...