Cronicle
Monthly
Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.
Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.
Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.
Stored cross-site scripting (XSS) in Cronicle prior to 0.9.111 allows authenticated users with create_events and run_events privileges to inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The injected payload is stored server-side without sanitization and executed client-side via innerHTML when other users view the Job Details page, enabling session hijacking, credential theft, or malicious actions performed in the context of the viewing user's session. No public exploit code or active exploitation has been reported at the time of analysis.