| 제목 | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls |
|---|
| 설명 | A security flaw existed in the workspace auto-join feature of DecoCMS Mesh that allowed unauthenticated or unauthorized users to join any workspace simply by supplying a valid workspace domain.
PoC:
https://github.com/decocms/mesh/pull/1967
This vulnerability has been fixed in runtime v1.0.0-alpha.32
Root Cause
The server did not check if the user email was the same from the workspace domain.
Impact:
Access other workspaces, just by knowing their organization domain. |
|---|
| 원천 | ⚠️ https://github.com/decocms/mesh/pull/1967 |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2025. 12. 12. AM 04:59 (4 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 13. PM 02:25 (1 day later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 336392 [DecoCMS Mesh 까지 1.0.0-alpha.31 Workspace Domain api.ts createTool domain 권한 상승] |
|---|
| 포인트들 | 20 |
|---|