CVE-2024-6303

Name of the Vulnerable Software and Affected Versions: Conduit versions prior to 0.7.0

Description: The issue concerns missing authorization in the Client-Server API, allowing for unauthorized removal and addition of aliases to different rooms. This can be exploited for privilege escalation by moving the #admins alias to a controlled room, enabling the execution of commands such as resetting passwords, signing JSON with the server's key, deactivating users, and more.

Recommendations: For Conduit versions prior to 0.7.0, update to version 0.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Client-Server API to minimize the risk of exploitation. Avoid using the API for sensitive operations until the issue is resolved.