Waoowaoo
Monthly
Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.
Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.
Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.
Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.