Home > Vulnerability Database > WS-2023-0274

Mend.io Vulnerability Database

WS-2023-0274

Good to know:

Date: August 19, 2025

In @saltcorn/cli, unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disabled. All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants. The issue is fixed in version 0.8.7.

Language: TYPE_SCRIPT

Severity Score

8.8

Related Resources (7)

Url: https://github.com/saltcorn/saltcorn/commit/4fecc603afedc158536136ef0bb7a862b240d0d4

Url: https://github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab

Url: https://github.com/saltcorn/saltcorn

Url: https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191

Url: https://github.com/saltcorn/saltcorn/pull/1973

Url: https://github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx

Url: https://www.mend.io/vulnerability-database/WS-2023-0274

Severity Score

8.8

Weakness Type (CWE)

Improper Authorization

CWE-285

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0274

Good to know:

Date: August 19, 2025

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?