Github Security Lab Vulnerability Report

[Kwstubbs]

Hello,

Github Security Lab has found a potential vulnerability in plenti. Please let us know a good point of contact to disclose privately. Github has Private Vulnerability Reporting if you need a private point of contact.

Kevin

[jimafisk]

Hi @Kwstubbs,

Thanks for reaching out, I just enabled private vulnerability reporting in the project settings. Please just let me know if you need anything else from me to disclose the issue. Thank you for flagging this to me!

[jimafisk]

The issue here was that the /postlocal endpoint could have been used to create/edit/delete files outside of your project root. So if you were running a project where someone ejected core files and inserted something malicious to the local publishing workflow, it could impact files on your computer that you did not intend.

This should be fixed in v0.7.2 so only files within the project root can be edited via the /postlocal endpoint. It's recommended to upgrade to this version for security, especially if using themes or collaborating on a project you did not personally create.

Thanks for flagging this to me @Kwstubbs!