Beanduan22

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO versions prior to 3.0.1 **Description** An OS command injection issue exists in the shell action replay path. The functions `ShellReceiver.run shell()` and `ShellReceiver.execute command()` pass command strings from action parameters directly to `subprocess.Popen()` using `shell=True` and `executable=powershell.exe`. These functions are triggered by action classes such as `RunShellCommand.execute()` and `ExecuteCommand.execute()`, which forward stored action parameters. Since the framework stores planned and executed actions in per-session JSON records, an attacker capable of writing or modifying these JSON files can plant a shell action. This allows the execution of arbitrary commands as the process user when the session is resumed or replayed. **Recommendations** Update to a version later than 3.0.0.

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO version 3.0.1-4-ge2626659 **Description** Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. The software uses the user-controlled `task name` value directly when constructing session log paths. An authenticated client can supply path traversal sequences in the `task name` variable, allowing the creation of log directories and log files outside the intended 'logs/' directory. Path traversal is a technique used to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO version 3.0.1-4-ge2626659 **Description** The WebSocket control plane trusts client-supplied identity and role fields in task messages. An authenticated WebSocket client with a shared server token can register as a normal device and subsequently send a TASK message claiming `client type`="constellation" and a specific `target id`. Because the server relies on the role and target values provided in the message instead of the role registered to the connection, a client can spoof the higher-privilege constellation role to dispatch controlled tasks to another connected device. Additionally, the client registry permits duplicate `client id` registration, which allows an attacker to overwrite a live client's stored websocket, role, and task protocol, leading to peer task hijacking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO version 3.0.1-4-ge2626659 **Description** Microsoft UFO creates a single shared `UFOWebSocketHandler` instance that is reused across multiple authenticated WebSocket connections. The handler stores protocol objects for each connection in mutable instance fields, which are overwritten whenever a new WebSocket connection is established. Consequently, message handlers transmit responses via these shared fields rather than using the protocol objects linked to the original connection. This allows the most recently connected authenticated client to receive protocol responses intended for other authenticated clients. **Recommendations** For version 3.0.1-4-ge2626659, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO version 3.0.1-4-ge2626659 **Description** The constellation client in this open-source framework for intelligent automation tracks pending task responses using only the `session id` and fails to verify if a TASK END message originated from the device that initially received the task. While the pending task record includes the expected device ID, the completion path ignores this binding. Consequently, an authenticated peer device can send a forged TASK END message with a matching `session id`, leading the constellation to accept the response and complete the victim device's pending Future with attacker-controlled result data. This results in an authenticated cross-device task-result injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft UFO version 3.0.1-4-ge2626659 **Description** Microsoft UFO is an open-source framework for intelligent automation across devices and platforms. The software accepts client-supplied `session id` values in WebSocket task messages and reuses an existing in-memory session object if that `session id` already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same `session id`. The server then re-enters the existing session object and sends the stale stored result to the new requester through the `send task end()` callback path. This results in an authenticated cross-client stale result replay, which requires the attacker to know or predict a live or recently completed `session id`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.