Plausible critical RCE < 3.2.1
Plausible critical RCE < 3.2.1
github.com
v3.2.1 · plausible analytics · Discussion #6355
Security related update This patch release fixes a security vulnerability affecting the following versions of Plausible Community Edition (image: ghcr.io/plausible/community-edition): Tags: v3.2 v3......
Today I randomly felt on this release note, mentioning an RCE “under certain conditions “
Digging up a bit, it’s a full blown RCE on any default install. Worst, unless you were aware of the /storybook path, it’s very unlikely you blocked it.
I also wrote a small POC here https://gist.github.com/Calyhre/67337024ece3762cbc3c9e4956b0e3d4
If you are using Plausible 3.0.0 until 3.2.0 included, you should upgrade ASAP, and rotate everything