Sho-Luv

**Name of the Vulnerable Software and Affected Versions** osctrl versions prior to 0.5.0 **Description** osctrl is a management solution for osquery. A command injection issue exists in the `osctrl-admin` environment configuration before version 0.5.0. An authenticated administrator can inject arbitrary shell commands through the hostname parameter when creating or editing environments. These commands are embedded into enrollment scripts generated using Go's `text/template` package, which does not perform shell escaping, and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. The **API endpoint** used for environment configuration is within the `osctrl-admin` interface. The vulnerable parameter is `hostname`. **Recommendations** Restrict osctrl administrator access to trusted personnel. Review existing environment configurations for suspicious hostnames. Monitor enrollment scripts for unexpected commands.

**Name of the Vulnerable Software and Affected Versions** osctrl versions prior to 0.5.0 **Description** osctrl is an osquery management solution. A stored cross-site scripting (XSS) issue exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user, including administrators, who visits the query list page. This can be combined with Cross-Site Request Forgery (CSRF) token extraction to escalate privileges and perform actions as the logged-in user. An attacker with query-level permissions can execute arbitrary JavaScript in the browsers of all users who view the query list, potentially leading to full platform compromise if an administrator executes the payload. **Recommendations** Restrict query-level permissions to trusted users. Monitor the query list for suspicious payloads. Review osctrl user accounts for unauthorized administrators.