Unsafe plugins can be installed via pack import by tenant admins
Summary Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables Details I have an example https://bot20230704.saltcorn.com/view/all_plugins It's publicly accessible (but has not so secure values except list of tenants). But using this mech one can read any data from other tenants. Impact All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin …