CVE-2024-6303
Published
CVSS v3
9.9
CRITICAL
CVSS v2
N/A
Affected
1
PROJECT
Description
Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more
Conduit is a simple, fast and reliable chat server powered by Matrix https://conduit.rs
GitLab