Devnoscope

**Name of the Vulnerable Software and Affected Versions** alf.io versions prior to 2.0-M5-2606 **Description** An authenticated administrator can execute arbitrary operating system commands on the server due to a sandbox escape in the extension script engine. The system is designed to execute restricted JavaScript within a sandboxed Rhino environment. However, the use of an unguarded injected Java object `returnClass` combined with an incomplete AST (Abstract Syntax Tree) blocklist allows the sandbox to be bypassed using Java reflection without triggering validation errors. **Recommendations** Update to version 2.0-M5-2606.