Baixin513

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0.

**Name of the Vulnerable Software and Affected Versions** cloudexplorer-lite versions prior to 1.2.0 **Description** The issue is related to weak passwords that can be easily guessed, making them an easy target for brute force attacks. This can lead to an authentication system failure and compromise system security. **Recommendations** For versions prior to 1.2.0, upgrade to version 1.2.0 to fix the issue. At the moment, there are no known workarounds for this vulnerability.