An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
The CWE-829 vulnerability (Inclusion of Functionality from Untrusted Control Sphere) occurs when an application downloads and executes code or resources from external, untrusted sources without proper verification of their integrity or origin. An attacker can influence which code is loaded by the application by substituting their own malicious functionality. The attack vector is network-based (AV:N), requires no authentication (PR:N) and no user interaction (UI:N), which means it is possible to exploit fully remotely and automatically.
Successful exploitation of the vulnerability may lead to complete breach of system confidentiality, integrity, and availability — attackers may gain unauthorized access to data, modify application content, or cause it to become unavailable.
Patches available from the vendor should be applied according to references. It is recommended to monitor the project repository at https://github.com/Miazzy/oa-front-service and analyze the indicated proof-of-concept at https://gist.github.com/zcxlighthouse/a29d9de46c4eac2de5c4d5a7b6c6c532 to assess the threat and implement appropriate remedial measures.
Miazzy oa-front-service, master branch (specific versions indicated in vendor references)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMiazzy Oa Font Service
APPMiazzymaster