漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Capgo - Unauthorized Manifest Insertion via Read-Only Org Member
Vulnerability Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
Capgo 授权问题漏洞
Vulnerability Description
Capgo是CAPGO公司的一个专为CapacitorJS开发者打造的移动应用开发和更新平台。 Capgo 12.128.2之前版本存在授权问题漏洞,该漏洞源于public.manifest INSERT策略存在授权绕过问题,允许只读组织成员插入OTA manifest行,攻击者可通过只读组织访问权限注入包含任意s3_path值的恶意manifest条目,这些条目通过未经验证的/updates端点提供给设备,实现OTA元数据投毒和潜在恶意资产分发。
CVSS Information
N/A
Vulnerability Type
N/A