Security Advisory

CVE-2024-6303

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2024-06-25 13:02:05
Last updated 2024-08-29 15:05:00
Assigner GitLab
State PUBLISHED

Description

Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the servers key, deactivating users, and more