Signal K Server
Monthly
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
Command injection in Signal K Server (maritime navigation) before 1.5.0 allows authenticated users to execute OS commands. EPSS 4.96% with PoC and patch available.
Signal K Server is a server application that runs on a central hub in a boat. [CVSS 6.3 MEDIUM]
Signal K Server before 2.19.0 exposes two features that chain together to steal JWT tokens without authentication: WebSocket-based request enumeration plus unauthenticated polling of access request status. An attacker can hijack admin sessions remotely. PoC available.
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. [CVSS 7.2 HIGH]
Signal K Server is a server application that runs on a central hub in a boat. [CVSS 5.3 MEDIUM]
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). [CVSS 7.5 HIGH]
Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.
Signal K Server versions prior to 2.20.3 on Windows contain a path traversal vulnerability in the applicationData API that allows authenticated users to read, write, and list arbitrary files by bypassing directory validation using backslashes. The vulnerability exists because the validateAppId() function only blocks forward slashes, allowing attackers to escape the intended applicationData directory through Windows path semantics. Public exploit code exists for this medium-severity flaw, and a patch is available in version 2.20.3.
Command injection in Signal K Server (maritime navigation) before 1.5.0 allows authenticated users to execute OS commands. EPSS 4.96% with PoC and patch available.
Signal K Server is a server application that runs on a central hub in a boat. [CVSS 6.3 MEDIUM]
Signal K Server before 2.19.0 exposes two features that chain together to steal JWT tokens without authentication: WebSocket-based request enumeration plus unauthenticated polling of access request status. An attacker can hijack admin sessions remotely. PoC available.
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. [CVSS 7.2 HIGH]
Signal K Server is a server application that runs on a central hub in a boat. [CVSS 5.3 MEDIUM]
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). [CVSS 7.5 HIGH]
Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.