Comments (2)
from cev-eris.
To clarify, this is only an issue if an xss vulnerability is present, meaning text is reflected unsanitized to players in some way. The issue is that the verb can be fed using a feature implemented by byond like ?winset to run the verb with params. The verb is very powerful, essentially a tiny scripting language so it shouldn't be accessible in this manner(instead fed using an input shown directly to the user, or confirmed before executing. So for this to be an issue, an admin with debug perms would have to specifically be targeted by the exploiter. For a popular example, back in around ~2015 paper code in most servers stored unsanitized text, and people would use this to turn the entire server into monkeys by showing the paper to an admin. The issue here is the verb that turns every player into a monkey because it doesn't confirm first that the admin wants to use it. This isn't inherently exploitable if you have no xss vulnerabilities.
from cev-eris.
Related Issues (20)
- Vintorez Doesnt Correctly display extendo mags
- Vagabonds opening accounts doesn't let them create custom vendors HOT 6
- infinite mice
- stepping on glass sends you into a temporary coma HOT 1
- carrion cannot use spider control while handcuffed
- The Sword of Truth Pedestal and swing
- The Sword of Truth Pedestal and tool health HOT 1
- Supermatter shards don't arrive with a crate HOT 6
- Stinger rounds can ricochet hundreds of times
- Nuke code can be bruteforced HOT 11
- All DNA and Fingerprints are always the same and preset for ALL crewmembers! HOT 1
- Skeletons turn meat spikes invisible
- Guest pass console works in reverse
- Guest pass console can assign access that the giver ID doesn't have
- Guild can create infinite credits
- Service Cyborgs can't pick-up fruits. HOT 1
- Shotgun magazines sprites invisible, both as items and when in the gun HOT 1
- Batteryracks have no user input for smaller cells
- Climbing while in mech will broke mech
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cev-eris.