wecube-platform
wecube-platform copied to clipboard
WeBankPartners
WeCube Platform
**描述您遇到的bug** webcute v3.2.2 在這些page上存在CSV injection [Home / Admin / Resources] page [Home / Admin / System Params] page [Home / Design / Basekey Configuration] page **如何重现** input ` =10+20+cmd|' /C...
**描述您遇到的bug** DOM XSS存在資料庫查詢語句中,wecube v3.2.2 **如何重现** ` 輸入 select < b onmouseover="window['ale'+'rt']('DOM XSS')">hello 或 select < b onmouseover='alert("XSS")'>hello ` Notes:請刪除< 空格 **预期行为** javascript允許執行,可以竊取cookie **截图**   **附加**
**描述您的需求** 問題1. 請問plugins dependency 針對terminal and isdangerous 目前只支援 platform v.2.9.0,請問有針對v3.x的版本? 問題2. 使用本地端上傳檔案,一直出現register.xml file沒有,如何解決 Failed to upload package due to Plugin package definition file: [register.xml] does not exist. **附加**
Bumps [aws-java-sdk-s3](https://github.com/aws/aws-sdk-java) from 1.11.106 to 1.12.261. Changelog Sourced from aws-java-sdk-s3's changelog. 1.12.261 2022-07-14 AWS Config Features Update ResourceType enum with values for Route53Resolver, Batch, DMS, Workspaces, Stepfunctions, SageMaker, ElasticLoadBalancingV2, MSK...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
解压文件时未对 ../ 进行校验  Demo: `packagecom.sp.test; importorg.apache.commons.fileupload.FileItem; importorg.apache.commons.fileupload.FileItemFactory; importorg.apache.commons.fileupload.disk.DiskFileItemFactory; importorg.apache.commons.io.FileUtils; importorg.springframework.web.multipart.MultipartFile; import org.springframework.web.multipart.commons.CommonsMultipartFile; importorg.xml.sax.SAXException; importjava.io.*; importjava.text.SimpleDateFormat; importjava.util.Date; importjava.util.Enumeration; importjava.util.zip.ZipEntry; importjava.util.zip.ZipFile; publicclassDemo{ publicstaticvoidmain(String[]args){ MultipartFilefile=fileToMultipartFile(new File("D:\\project\\os\\ne1111w.zip")); uploadPackage(file); } publicstaticUploadPackageResultDtouploadPackage(MultipartFile pluginPackageFile){ //1.savepackagefiletolocal StringtmpFileName=new...
检测到 WeBankPartners/wecube-platform 一共引入了273个开源组件,存在124个漏洞 ``` 漏洞标题:Vmware VMware Spring Security 权限许可和访问控制问题漏洞 缺陷组件:org.springframework.security:[email protected] 漏洞编号:CVE-2021-22112 漏洞描述:Vmware VMware Spring Security是美国威睿(Vmware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。 VMware Spring Security 中存在权限许可和访问控制问题漏洞。该漏洞源于攻击者可以通过Spring Security的多个SecurityContext更改绕过限制,以提升其权限。以下产品及版本受到影响:Spring Security 5.4.0 至 5.4.3 版本, Spring Security 5.3.0.RELEASE 至 5.3.7.RELEASE...
![dependasec[bot] avatar](https://avatars.githubusercontent.com/in/180093?v=4 "dependasec[bot] avatar"){kind=avatar}
Update https://registry.npm.taobao.org to https://registry.npmmirror.com, Please refer to https://zhuanlan.zhihu.com/p/430580607.
