| शीर्षक | o2oa https://github.com/o2oa/o2oa 10.0 Code Execution |
|---|
| विवरण | O2OA contains an unauthenticated remote code execution vulnerability in the NodeAgent control channel. An unauthenticated attacker can obtain the RSA public key from the authentication endpoint and use it to forge a valid NodeAgent credential because the server only checks whether the decrypted credential begins with a fixed prefix. The attacker can then use the syncFile command to overwrite a startup script such as start_windows.bat or start_linux.sh and trigger command:restart, causing the attacker-controlled script content to be executed on the target server. |
|---|
| स्रोत | ⚠️ https://github.com/o2oa/o2oa/issues/194 |
|---|
| उपयोगकर्ता | larlarua (UID 97278) |
|---|
| सबमिशन | 12/04/2026 11:26 AM (2 महीनों पहले) |
|---|
| संयम | 28/04/2026 12:21 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 359952 [o2oa तक 10.0 NodeAgent NodeAgent.java syncFile अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|