| عنوان | chatboxai chatbox 1.20.0 Arbitrary Command Execution |
|---|
| الوصف | Chatbox v1.20.0 contains an arbitrary command execution vulnerability in the MCP (Model Context Protocol) stdio transport IPC handler. The mcp:stdio-transport:create IPC channel accepts command, args, and env parameters directly from the renderer process and spawns a child process via StdioClientTransport without any validation, sanitization, or command allowlisting. Since ipcRenderer.invoke is directly exposed via the Electron context bridge (see chatbox_02), any JavaScript running in the renderer context can execute arbitrary system commands with the full privileges of the Electron main process.
|
|---|
| المصدر | ⚠️ https://github.com/chatboxai/chatbox/issues/3627 |
|---|
| المستخدم | Yu_Bao (UID 89348) |
|---|
| ارسال | 02/04/2026 11:03 AM (15 أيام منذ) |
|---|
| الاعتدال | 12/04/2026 06:30 AM (10 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 356993 [chatboxai chatbox حتى 1.20.0 Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport args/env تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|