| タイトル | wooey Wooey 0.13.3-dev Code Injection |
|---|
| 説明 | A vulnerability was found in wooey Wooey (master branch, post v0.13.2). The add_or_update_script API endpoint (/api/scripts/v1/add-or-update/) in wooey/api/scripts.py only checks if a user is authenticated but does not verify staff/admin privileges. This allows any registered user to upload arbitrary Python scripts via the API, which are then executed by Celery workers, leading to Remote Code Execution (RCE). The attack can be initiated remotely and does not require special privileges beyond a registered account. |
|---|
| ソース | ⚠️ https://github.com/wooey/Wooey/issues/408 |
|---|
| ユーザー | anch0r (UID 96691) |
|---|
| 送信 | 2026年04月10日 03:52 (2 月 ago) |
|---|
| モデレーション | 2026年04月26日 21:43 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359741 [Wooey 迄 0.13.2 API Endpoint wooey/api/scripts.py add_or_update_script 特権昇格] |
|---|
| ポイント | 20 |
|---|