Sandpoot

**Name of the Vulnerable Software and Affected Versions** tgstation-server versions prior to 6.8.0 **Description** The issue allows low permission users with the "Set .dme Path" privilege to potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server or some other means. A server configured to execute in BYOND's trusted security level could lead to this escalating into remote code execution via BYOND's shell() proc. The ability to execute this kind of attack is a known side effect of having privileged TGS users, but normally requires multiple privileges with known weaknesses. **Recommendations** For versions prior to 6.8.0, upgrade to version 6.8.0 or above to fix the issue. As a temporary workaround, do not give un-trusted users the Deployment permission to set a .dme path on instances.