| tiêu đề | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls |
|---|
| Mô tả | A security flaw existed in the workspace auto-join feature of DecoCMS Mesh that allowed unauthenticated or unauthorized users to join any workspace simply by supplying a valid workspace domain.
PoC:
https://github.com/decocms/mesh/pull/1967
This vulnerability has been fixed in runtime v1.0.0-alpha.32
Root Cause
The server did not check if the user email was the same from the workspace domain.
Impact:
Access other workspaces, just by knowing their organization domain. |
|---|
| Nguồn | ⚠️ https://github.com/decocms/mesh/pull/1967 |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 12/12/2025 04:59 (cách đây 5 các tháng) |
|---|
| Kiểm duyệt | 13/12/2025 14:25 (1 day later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 336392 [DecoCMS Mesh đến 1.0.0-alpha.31 Workspace Domain api.ts createTool domain nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|