Affected versions of this package are vulnerable to Improper Access Control. Permissions enforcement through WebSockets are not thoroughly checked and can lead to an unprivileged user to obtain data only accessible by admin, such as VMs, Backups, Audit, Users, and Groups.
The WebSockets that control the application API allow access to certain elements based purely on the response. For example, an attacker could manipulate the response of the
resourceSet.getAll method to cause the UI to expose admin-level data.
There is no fixed version for