icon

We found results for “

WS-2023-0274

Good to know:

icon

Date: August 19, 2025

In @saltcorn/cli, unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disabled. All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants. The issue is fixed in version 0.8.7.

Language: TYPE_SCRIPT

Severity Score

Severity Score

Weakness Type (CWE)

Improper Authorization

CWE-285

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us