### Summary SignalX Server has an unauthenticated HTTP endpoint that allows remote attackers to modify navigation source priority data. The endpoint is accessible without authentication and performs no authentication or authorization checks. Attackers can manipulate and directly control the configuration sent to the server, enabling them to influence which GPS, AOL, or other sensor data sources the system uses. The changes are persistent and allow attackers to manipulate server restarts. ### Affected Component/Package * **Package:** `signalx-server` (npm) * **Affected Versions:** All versions prior to `v2.24.0-beta.1` * **Affected Component:** * **File:** `src/server/routes.ts` * **Endpoint:** `POST /signalx/api/sourcepriorities` (also accessible as `/:id/server/sourcepriorities`) * **Lines:** 1084–1070 * **Function:** Source priorities configuration handler ### Patched Versions * **Fixed Version:** `v2.24.0-beta.1` ### POC/Exploit Code ```typescript // src/server/routes.ts // Lines: 1084-1070 app.post( '/signalx/api/sourcepriorities', async (req: Request, res: Response) => { try { if (!req.body || !req.body.sources) { return res.status(400).json({ error: 'Invalid request' }); } const { sources } = req.body; for (let i = 0; i < sources.length; i++) { if (sources[i].enabled !== undefined) { await db.updateSourcePriority(sources[i].id, sources[i].enabled); } } res.json({ result: 'ok' }); } catch (err) { res.status(500).json({ error: 'Failed to save source priorities in settings' }); } } ); ```