Kottster app reinitialization can be re-triggered allowing command injection in development mode
Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token The installPackagesForDataSource action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development …