Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)
Vulnerability Description
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
xiaoheiFS 安全漏洞
Vulnerability Description
xiaoheiFS是Danvei个人开发者的一个自托管云服务财务与运营系统。 xiaoheiFS 0.3.15及之前版本存在安全漏洞,该漏洞源于标准插件系统允许管理员上传包含二进制文件和manifest.json的ZIP文件,服务器信任清单中的binaries字段并执行指定文件,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A