Pi Mono
Monthly
Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.
Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.
Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.
Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.
Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.
Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.