| 标题 | wooey Wooey 0.13.3-dev Code Injection |
|---|
| 描述 | A vulnerability was found in wooey Wooey (master branch, post v0.13.2). The add_or_update_script API endpoint (/api/scripts/v1/add-or-update/) in wooey/api/scripts.py only checks if a user is authenticated but does not verify staff/admin privileges. This allows any registered user to upload arbitrary Python scripts via the API, which are then executed by Celery workers, leading to Remote Code Execution (RCE). The attack can be initiated remotely and does not require special privileges beyond a registered account. |
|---|
| 来源 | ⚠️ https://github.com/wooey/Wooey/issues/408 |
|---|
| 用户 | anch0r (UID 96691) |
|---|
| 提交 | 2026-04-10 03時52分 (18 日前) |
|---|
| 管理 | 2026-04-26 21時43分 (17 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 359741 [Wooey 直到 0.13.2 API Endpoint wooey/api/scripts.py add_or_update_script 权限提升] |
|---|
| 积分 | 20 |
|---|