← Voltar para CVEs
CVE-2026-30233
MEDIUM6.5
Descricao
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be correctly denied, the backend does not enforce IsAllowedView() when constructing dashboard and action binding responses. As a result, restricted users can retrieve action titles, IDs, icons, and argument metadata. This issue has been patched in version 3000.11.1.
Detalhes CVE
Pontuacao CVSS v3.16.5
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado3/6/2026
Ultima modificacao3/12/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
olivetin:olivetin
Fraquezas (CWE)
CWE-200CWE-862CWE-862
Referencias
https://github.com/OliveTin/OliveTin/commit/d7962710e7c46f6bdda4188b5b0cdbde4be665a0(security-advisories@github.com)
https://github.com/OliveTin/OliveTin/releases/tag/3000.11.1(security-advisories@github.com)
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jf73-858c-54pg(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.