jan-vandenberg
commented
10 months ago Please send to my personal email janvdberg at gmail
Open kazet opened 10 months ago
jan-vandenberg
commented
10 months ago Please send to my personal email janvdberg at gmail
kazet
commented
10 months ago Thank you! You should have received a report.
lukigruszka
commented
8 months ago Hello,
CERT PL has sent you a report on 23rd of November and resent it on 18th of December. Have you received any of them?
jan-vandenberg
commented
8 months ago Yes, but the mentioned finding applies to core/relations.php. This is code that is NOT meant to be deployed.
Cruddiy GENERATES code that IS meant to be deployed, and any findings there are of greater importance (not the generator code).
That being said, we will of course try and look into it, but that explains a little bit why there wasn't a direct response.
lukigruszka
commented
8 months ago We are aware that this code is not meant to be deployed. However, in a limited scope that vulnerability still poses a risk - when a user runs cruddiy locally and then enters a malicious website which performs such a crafted POST request to localhost, some arbitrary shell command will be executed on his/her machine.
lukigruszka
commented
5 months ago Hi, any updates on that? We would like to proceed with assigning a CVE for that vulnerability
Hello,
CERT PL found a security vulnerability in this repository. How can we report this privately? We don't see any security policy describing how such vulnerabilities should be reported.