Credit:HRP & Aftersnow


Description:

The remote code execution attacks occurred because any component provided the code functionality, and the components were running on the local machine rather than in a sandbox.

Proof of Concept:

First, create a flow, then drag any component down, and then click on the code section in the image below to edit the code.

You can verify this by entering any code in the "Code" field:

evil="__import__(\\"os\\").system(\\"ls\\")"
Hack = eval(evil)

ac4c0ec2f1ad622ddd845429047800a.png

a7371bb3562ebadc3d5f5d50b00d6c0.png

The result is as follows:

c83a7d080fec2a5aabcbc045d1f4b3d.png