Jay Dhulia

Name of the Vulnerable Software and Affected Versions: ConsoleMe versions prior to 1.4.0 Description: The issue is related to Command Injection, where authenticated users can achieve limited Remote Code Execution (RCE) in ConsoleMe, restricted to flag inputs on a single CLI command. However, it is unlikely that full RCE is possible due to this constraint. A specific flag allows authenticated users to read any server files accessible by the ConsoleMe process, which could potentially be exploited for privilege escalation. This issue affects deployments of ConsoleMe that allow templated resources. The self-service flow for templated resources in ConsoleMe accepts a user-supplied JSON post body, which includes the filename for the templated resource. However, this user-supplied filename is not properly sanitized and is passed directly as a string to a CLI command. Recommendations: To resolve the issue, update to version 1.4.0 or later. If you are unable to upgrade to the latest version, users can selectively apply the code changes in the provided pull request. Alternatively, removing the configuration item `cache resource templates.repositories` or adding it as an empty array should mitigate the issue, but will result in broken functionality (templated resources will no longer be supported for self-service). As a temporary workaround, consider restricting access to templated resources until a patch is applied.