Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
FUXA 安全漏洞
Vulnerability Description
FUXA是frangoteam开源的一个基于web的过程可视化软件。 FUXA 1.2.8及之前版本存在安全漏洞,该漏洞源于身份验证绕过,server/api/jwt-helper.js中间件不当信任HTTP Referer标头验证内部请求,可能导致远程未认证攻击者通过伪造Referer标头绕过JWT身份验证,进而访问受保护的/api/runscript端点并在服务器上执行任意Node.js代码。
CVSS Information
N/A
Vulnerability Type
N/A