VYPR

tgstation-server

by tgstation

Source repositories

CVEs (6)

  • CVE-2020-16136HigJul 31, 2020
    risk 0.50cvss 7.7epss 0.02

    In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine (accessible by the owner of the server process) via directory traversal ../ sequences in /Administration/Logs/ requests. The attacker is unable…

  • CVE-2025-21611Jan 6, 2025
    risk 0.00cvss epss 0.00

    tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all,…

  • CVE-2024-41799Jul 29, 2024
    risk 0.00cvss epss 0.01

    tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be…

  • CVE-2023-34243MedJun 8, 2023
    risk 0.00cvss 5.8epss 0.00

    TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was…

  • CVE-2023-33198MedMay 30, 2023
    risk 0.00cvss 6.1epss 0.01

    tgstation-server is a production scale tool for BYOND server management. The DreamMaker API (DMAPI) chat channel cache can possibly be poisoned by a tgstation-server (TGS) restart and reattach. This can result in sending chat messages to one of any of the configured IRC or…

  • CVE-2023-32687HigMay 29, 2023
    risk 0.00cvss 7.7epss 0.01

    tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As…