Enviar #801533: wooey Wooey 0.13.3-dev Code Injectioninformación

Títulowooey Wooey 0.13.3-dev Code Injection
DescripciónA vulnerability was found in wooey Wooey (master branch, post v0.13.2). The add_or_update_script API endpoint (/api/scripts/v1/add-or-update/) in wooey/api/scripts.py only checks if a user is authenticated but does not verify staff/admin privileges. This allows any registered user to upload arbitrary Python scripts via the API, which are then executed by Celery workers, leading to Remote Code Execution (RCE). The attack can be initiated remotely and does not require special privileges beyond a registered account.
Fuente⚠️ https://github.com/wooey/Wooey/issues/408
Usuario
 anch0r (UID 96691)
Sumisión2026-04-10 03:52 (hace 18 días)
Moderación2026-04-26 21:43 (17 days later)
EstadoAceptado
Entrada de VulDB359741 [Wooey hasta 0.13.2 API Endpoint wooey/api/scripts.py add_or_update_script escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Interested in the pricing of exploits?

See the underground prices here!