RussH
commented
1 year ago Hi,
@hansmach1ne has done great work identifying and commiting fixes for a number of vulnerabilities. Most (including this one) are exploitable on the backend only using an already active user account. The priorty to date was to patch the Career portal and unauthenticated vulnerabilities. These complete that previous work. I still need to fully test functionality after the patch so have not generated a new release yet.
Any updates on vulnerabilities that were reported here?
https://github.com/hansmach1ne/opencats_zero-days/blob/main/RCE_via_deserialisation.md https://nvd.nist.gov/vuln/detail/CVE-2022-43019
and https://github.com/hansmach1ne/opencats_zero-days/blob/main/XSS_in_indexFile.md https://nvd.nist.gov/vuln/detail/CVE-2022-43017