Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OliveTin: View permission not being checked when returning dashboards
Vulnerability Description
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
OliveTin 安全漏洞
Vulnerability Description
OliveTin是OliveTin开源的一个Web应用。 OliveTin 3000.11.1之前版本存在安全漏洞,该漏洞源于授权缺陷,可能导致具有view: false权限的已验证用户通过仪表板和API端点枚举操作绑定和元数据。
CVSS Information
N/A
Vulnerability Type
N/A