Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Manyfold has IDOR in ModelFilesController
Vulnerability Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Manyfold 安全漏洞
Vulnerability Description
Manyfold是Manyfold开源的一个自托管网络应用。 Manyfold 0.133.1之前版本存在安全漏洞,该漏洞源于ModelFilesController中的get_model方法绕过Pundit授权。
CVSS Information
N/A
Vulnerability Type
N/A