@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst
- Severity:
- High
Description
The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0-beta.13
- Patched version(s): 1.0.0-beta.14
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) - CVE-2025-66398
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
- @saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plug - Vulnerability
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on October 04, 2024