GHSA-fwcm-rqvw-j3p7High
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
🔗 CVE IDs covered (1)
📋 Description
Summary
An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.
Details
The issue is caused by the combination of these code paths:
server/api/apikeys/verify-api-or-token.js:45sends requests withoutx-api-keytoauthJwt.verifyToken(req, res, next).server/api/jwt-helper.js:46-64creates a signed guest token when nox-access-tokenis provided:if (!token) { token = getGuestToken(); }and then populatesreq.userId/req.userGroupsfrom that guest token.server/api/command/index.js:76-105exposes/api/getTagValue.server/runtime/scripts/index.js:106-111returnstruewhen the referenced script does not exist:if (!script) { return true; }
As a result, an unauthenticated request reaches /api/getTagValue as guest, and the authorization check is bypassed because isAuthorisedByScriptName() returns true when sourceScriptName is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.
PoC
Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.
🎯 Affected products1
- npm/fuxa-server:= 1.3.0
🔗 References (5)
- https://github.com/frangoteam/FUXA/security/advisories/GHSA-fwcm-rqvw-j3p7
- https://github.com/frangoteam/FUXA/pull/2260
- https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4
- https://github.com/frangoteam/FUXA/releases/tag/v1.3.1
- https://github.com/advisories/GHSA-fwcm-rqvw-j3p7