x/vulndb: potential Go vuln in github.com/plentico/plenti: GHSA-mj4v-hp69-27x5

[GoVulnBot]

Advisory GHSA-mj4v-hp69-27x5 references a vulnerability in the following Go modules:

Module
github.com/plentico/plenti

Description:

Summary

While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context.

Details

While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter.

Last part of compileSvelte function ssrStr parameter executed in v8go engine.

<img wi...

References:

• ADVISORY: GHSA-mj4v-hp69-27x5
• ADVISORY: GHSA-mj4v-hp69-27x5
• FIX: plentico/plenti@c3e72a9

Cross references:

• github.com/plentico/plenti appears in 2 other report(s):
  • data/reports/GO-2024-3213.yaml (x/vulndb: potential Go vuln in github.com/plentico/plenti: CVE-2024-49380 #3213)
  • data/reports/GO-2024-3214.yaml (x/vulndb: potential Go vuln in github.com/plentico/plenti: CVE-2024-49381 #3214)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/plentico/plenti
      non_go_versions:
        - introduced: TODO (earliest fixed "0.7.17", vuln range "<= 0.7.16")
      vulnerable_at: 0.7.17
summary: Plenti - Code Injection - Denial of Services in github.com/plentico/plenti
ghsas:
    - GHSA-mj4v-hp69-27x5
references:
    - advisory: https://github.com/advisories/GHSA-mj4v-hp69-27x5
    - advisory: https://github.com/plentico/plenti/security/advisories/GHSA-mj4v-hp69-27x5
    - fix: https://github.com/plentico/plenti/commit/c3e72a9ebbc2a03f4b0f3104becbfc25e390cb8e
source:
    id: GHSA-mj4v-hp69-27x5
    created: 2025-02-05T22:01:16.900589046Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/647055 mentions this issue: data/reports: add 3 unreviewed reports