CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21611 – tgstation-server's role authorization incorrectly OR'd with user's enabled status
https://notcve.org/view.php?id=CVE-2025-21611
06 Jan 2025 — tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions regardless of their permissions. Notably, the WriteUsers right is unaffected so users may not use this bug to permanently elevate their account permissions. The fix is release in tgstation-server-v6.12.3. tgstation-se... • https://github.com/tgstation/tgstation-server/commit/e7b1189620baaf03c2d23f6e164d07c7c7d87d57 • CWE-285: Improper Authorization •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41799 – tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users
https://notcve.org/view.php?id=CVE-2024-41799
29 Jul 2024 — tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server (requiring a separate, isolated privilege) or some other means. A server configured to execute in BYOND's trusted security level (requiring a third separate, isolated privilege OR being set by another user) co... • https://github.com/tgstation/tgstation-server/commit/374852fe5ae306415eb5aafb2d16b06897d7afe4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •