Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing Authorization in Conduit
Vulnerability Description
Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
授权机制缺失
Vulnerability Title
Conduit 安全漏洞
Vulnerability Description
Conduit是Famedly开源的一款简单、快速、可靠的聊天服务器。 Conduit v0.7.0及之前版本存在安全漏洞,该漏洞源于API缺少授权,允许提升权限和运行命令重置密码。
CVSS Information
N/A
Vulnerability Type
N/A