N/A

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.)

N/A

N/A

Zapier 安全漏洞

Zapier是美国Zapier公司的一种产品。允许最终用户集成他们使用的 We b应用程序并使工作流程自动化。 Zapier 2022-08-17年之前版本存在安全漏洞，该漏洞源于编写的代码允许账户内权限升级。攻击者利用该漏洞执行Python或JavaScript代码。

N/A

N/A