Sharp
Monthly
Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing `authorizationManager->check('create', $entityKey)` call in both the constructor and the `create` method of `ApiEntityListQuickCreationCommandController`, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.
sharp is an application for Node.js image processing. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Authorization bypass in Sharp (code16/sharp Laravel CMS package) versions 9.0.0 through 9.22.3 permits authenticated users lacking create permissions to invoke Quick Creation Command endpoints directly, circumventing the authorization layer to either retrieve entity creation forms or submit new records. The root cause is a missing `authorizationManager->check('create', $entityKey)` call in both the constructor and the `create` method of `ApiEntityListQuickCreationCommandController`, meaning the restriction enforced at the entity list level was not replicated at the command controller level. No public exploit exists and no CISA KEV listing is present; vendor-released patch v9.22.3 closes both vulnerable endpoints.
sharp is an application for Node.js image processing. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.