Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Command Injection in Cocos Engine workflow
Vulnerability Description
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Cocos Engine 命令注入漏洞
Vulnerability Description
Cocos Engine是中国Xiamen Yaji的是一个用于构建2D和3D实时渲染和交互内容的开源框架。 Cocos Engine存在命令注入漏洞,该漏洞源于存在命令注入,攻击者利用该漏洞可以运行自定义命令。
CVSS Information
N/A
Vulnerability Type
N/A