33181 matches found
YesWiki has Multiple Reflected Cross-site Scripting Vulnerabilities
Summary Multiple reflected Cross-site Scripting XSS vulnerabilities across both authenticated and unauthenticated portions of the application. These findings present a significant security risk, as they can be leveraged to execute arbitrary JavaScript in a victim’s browser under various contexts...
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
Summary @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like...
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Summary @xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain...
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash
Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...
YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"
Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Group / Role Management Fields Administrative Context Execution - Stored Cross-Site Scripting via Unsanitized Group / Role Management Inputs Description The application fails to properly sanitize user-controlled input within group and role management...
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Methods Management Fields Global Persistent Payload Execution - Stored Cross-Site Scripting via Unsanitized Method Creation and Management Inputs - Automatic Execution Across All Pages Where Method Is Rendered in Navigation Description The application fai...
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Impact An authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property an "array-like" obje...
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution
Summary A vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the...
TorchGeo Remote Code Execution Vulnerability
Impact TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.getweight or torchgeo.trainers as an external API could be affected. Patches The eval statement wa...
Parse Server has a session field immutability bypass via falsy-value guard
Impact An authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length...
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
Summary OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values. Impact A repository or workspace containing a malicious .env file could override runtime configuration and security-sensitive...
OpenClaw gateway exec allow-always over-trusts positional carrier executables
Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval...
OpenClaw affected by SSRF via unguarded image download in fal provider
Summary The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path. Impact A malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses throug...
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy. Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the...
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
Summary The chat.send path reused command authorization to trigger /reset session rotation even though direct session reset is an admin-only control-plane operation. Impact A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id...
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Summary The node pairing approval path did not consistently enforce that the approving caller already held every scope requested by the node. Impact A lower-privileged operator could approve a pending node request for broader scopes and extend privileges onto the paired node. Affected Component...
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper
Summary Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions. Impact A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program. Affected...
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
Summary Host exec env override sanitization did not fail closed for several package-manager and related redirect variables that can steer dependency fetches or startup behavior. Impact An approved exec request could silently redirect package resolution or runtime bootstrap to attacker-controlled...
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
Summary Nextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak. Impact An attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events...
OpenClaw SSRF guard misses four IPv6 special-use ranges
Summary The SSRF/IP classifier treated several IPv6 special-use ranges as public and allowed fetches to proceed. Impact An attacker who controlled a fetched URL could target internal or non-routable IPv6 addresses that should have been blocked by the SSRF guard. Affected Component...
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement
Summary Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages. Impact Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy. Affected...
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
Summary ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state. Impact A normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for...
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
Summary The chat.send path let authorized write-scoped callers persist /verbose session overrides even though the same stored session mutation is admin-only through sessions.patch. Impact A write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool...
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Summary Host execution env sanitization did not block GITTEMPLATEDIR or AWSCONFIGFILE, even though both can redirect trusted tooling to attacker-controlled content. Impact An approved exec request could redirect git or AWS CLI behavior through attacker-controlled configuration and execute untrust...
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
Summary The jq safe-bin policy blocked explicit env usage but still allowed jq programs that accessed environment data through $ENV. Impact An operator-approved safe-bin jq command could disclose environment variables that the safe-bin policy was supposed to keep out of scope. Affected Component...
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
Summary The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling. Impact A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters. Affected...
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
Summary The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget. Impact An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients. Affected...
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
Summary Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path. Impact A tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions. Affected Component...
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
Summary Discord text approval commands resolved pending exec approvals without honoring the configured approver allowlist. Impact A Discord user who was allowed to send commands but was not in the approver list could still approve pending host execution. Affected Component...
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
Summary Remote onboarding accepted discovered gateway endpoints without an explicit trust confirmation before persisting the remote URL and connection details. Impact A malicious or spoofed discovery endpoint could steer onboarding toward an attacker-controlled gateway and capture future gateway...
OpenClaw: Zalo channel downloads media before sender authorization
Summary The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran. Impact Unauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected. Affected Component...
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
Summary The /pair approve command path called device approval without forwarding caller scopes into the core approval check. Impact A caller that held pairing privileges but not admin privileges could approve a pending device request asking for broader scopes, including admin access. Affected...
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
Summary Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key. Impact An attacker who captured one valid signed Plivo V3 webhook could...
parse-server has GraphQL complexity validator exponential fragment traversal DoS
Impact The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects...
parse-server has cloud function validator bypass via prototype chain traversal
Impact An attacker can bypass Cloud Function validator access controls by appending .prototype.constructor to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal...
Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
Summary In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any...
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection
Summary The SPA index page in File Browser is vulnerable to Stored Cross-site Scripting XSS via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. Details...
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
Summary The signupHandler in File Browser applies default user permissions via d.settings.Defaults.Applyuser, then strips only Admin commit a63573b. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side...
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file
Summary The EPUB preview function in File Browser is vulnerable to Stored Cross-site Scripting XSS. JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. Details frontend/src/views/files/Preview.vue passes allowScriptedContent: true to the...
openssl-encrypt silently skips schema validation when jsonschema library is not installed
Summary In opensslencrypt/modules/jsonvalidator.py at lines 234-238, when the jsonschema library is not installed, all schema validation is silently skipped with only a print warning. Affected Code python if not JSONSCHEMAAVAILABLE: printf"Warning: Cannot validate against schema 'schemaname' -...
openssl-encrypt has non-cryptographic PRNG used for steganography pixel selection
Summary The generatepseudorandomsequence function in opensslencrypt/plugins/steganography/core/utils.py at lines 89-91 uses Python's random module Mersenne Twister for steganographic pixel/sample selection. Affected Code python random.seedseed sequence = random.samplerangemaxvalue, minlength,...
openssl-encrypt has visible password in process list via --password CLI argument
Summary Passwords passed via the --password / -p CLI argument in opensslencrypt/modules/cryptclisubparser.py at lines 150-154 are visible to any user on the system via ps aux or /proc/pid/cmdline. Affected Code python subparser.addargument "--password", "-p", help="Password will prompt if not...
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart
Severity: HIGH Summary The TOTP brute-force rate limiter in opensslencryptserver/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdictlist as a class variable. Affected Code python class TOTPRateLimiter: def initself, ...: self.attempts: Dictstr, Listdatetime = defaultdictlist...
openssl-encrypt: Dynamic .so loading for Whirlpool uses broad glob pattern without integrity verification
Severity: HIGH Summary The Whirlpool hash implementation in opensslencrypt/modules/registry/hashregistry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity. Affected Code python for sitepkg in...
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
Summary The publish service exposes bookmarked blocks from password-protected documents to unauthenticated visitors. In publish/read-only mode, /api/bookmark/getBookmark filters bookmark results by calling FilterBlocksByPublishAccessnil, .... Because the filter treats a nil context as authorized,...
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Summary A malicious website can achieve Remote Code Execution RCE on any desktop running SiYuan by exploiting the permissive CORS policy Access-Control-Allow-Origin: + Access-Control-Allow-Private-Network: true to inject a JavaScript snippet via the API. The injected snippet executes in Electron'...
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client
Summary An attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From - Asset Field” enabled. The vulnerable code accepts arbitrary https URLs without extensions as images, stores the...
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes
Product: Nuxt OG Image Version: 6.1.2 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection. Impact: Client-Side JavaScript Execution Exploitation...