Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration
Vulnerability Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Vikunja 安全漏洞
Vulnerability Description
Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 0.21.0至2.2.0之前版本存在安全漏洞,该漏洞源于Vikunja Desktop Electron包装器在渲染进程中启用了nodeIntegration但未启用contextIsolation或sandbox,可能导致任何跨站脚本漏洞自动升级为在受害者机器上执行完整远程代码。
CVSS Information
N/A
Vulnerability Type
N/A