GHSA-fwcm-rqvw-j3p7
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
Details
### Summary An authorization bypass in the /api/getTagValue endpoint allows unauthenticated access to tag values when the referenced script does not exist.
### Details The issue is caused by the combination of these code paths:
- `server/api/apikeys/verify-api-or-token.js:45` sends requests without `x-api-key` to `authJwt.verifyToken(req, res, next)`. - `server/api/jwt-helper.js:46-64` creates a signed guest token when no `x-access-token` is provided: `if (!token) { token = getGuestToken(); }` and then populates `req.userId` / `req.userGroups` from that guest token. - `server/api/command/index.js:76-105` exposes `/api/getTagValue`. - `server/runtime/scripts/index.js:106-111` returns `true` when the referenced script does not exist: `if (!script) { return true; }`
As a result, an unauthenticated request reaches `/api/getTagValue` as `guest`, and the authorization check is bypassed because `isAuthorisedByScriptName()` returns `true` when `sourceScriptName` is omitted or does not match a real script. The endpoint then returns arbitrary tag values by ID.
### PoC
Requests to /api/getTagValue without authentication could succeed when the authorization logic evaluated a non-existent sourceScriptName as authorized.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/frangoteam/FUXA/security/advisories/GHSA-fwcm-rqvw-j3p7 [WEB]
- https://github.com/frangoteam/FUXA/pull/2260 [WEB]
- https://github.com/frangoteam/FUXA/commit/78534da61a91613712b44bb63c8d7da8c5df5ca4 [WEB]
- https://github.com/frangoteam/FUXA [PACKAGE]
- https://github.com/frangoteam/FUXA/releases/tag/v1.3.1 [WEB]