Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page
Event log data is not properly sanitized leading to stored Cross-Site Scripting (XSS) vulnerability.
Advisories for Npm/@Saltcorn/Server package
2024
Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.
@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings
The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object. It allows to add/modify properties of the Object prototype that result in several logic issues, including: RCE vulnerabilities by polluting the tempRootFolder property SQL injection vulnerabilities by polluting the schema property when using PostgreSQL database.
@saltcorn/server arbitrary file zip read and download when downloading auto backups
A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to res.download API.
@saltcorn/server arbitrary file and directory listing when accessing build mobile app results
A user with admin permission can read arbitrary file and directory names on the filesystem by calling the admin/build-mobile-app/result?build_dir_name= endpoint. The build_dir_name parameter is not properly validated and it's then used to construct the buildDir that is read. The file/directory names under the buildDir will be returned.