GHSA-wxf3-4fvj-vqqx: Unsafe plugins can be installed via pack import by tenant admins
(updated )
Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables
References
- github.com/advisories/GHSA-wxf3-4fvj-vqqx
- github.com/saltcorn/saltcorn
- github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js
- github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab
- github.com/saltcorn/saltcorn/pull/1973
- github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx
Code Behaviors & Features
Detect and mitigate GHSA-wxf3-4fvj-vqqx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →