Budibase
Monthly
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. No patch is currently available for this vulnerability.
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.
Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]
Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.
Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.
Arbitrary file upload in Budibase 3.24.0 and earlier allows authenticated attackers to bypass UI-level file extension restrictions and upload malicious files by directly manipulating requests. An attacker with valid credentials can circumvent the intended upload controls to potentially execute arbitrary code or compromise system integrity. No patch is currently available for this vulnerability.
Budibase suffers from missing server-side role validation in user management APIs, allowing Creator-level users to escalate privileges and perform unauthorized actions reserved for Tenant Admins and Owners. An authenticated attacker with Creator permissions can promote themselves to Tenant Admin, demote existing administrators, modify owner accounts, and manipulate organizational orders, resulting in complete tenant compromise. No patch is currently available for this high-severity vulnerability.
Command injection in Budibase 3.23.22 and earlier allows authenticated attackers with high privileges to execute arbitrary system commands by injecting malicious values into PostgreSQL connection parameters that are unsanitized in shell command construction. An attacker with administrative access can exploit this vulnerability to gain complete control over the underlying server hosting the Budibase instance. No patch is currently available for this vulnerability.
Unauthorized data access in Budibase low-code platform before 3.30.4 allows unauthenticated users to manipulate internal state. PoC and patch available.
Budibase is a low code platform for creating internal tools, workflows, and admin panels. [CVSS 8.8 HIGH]