Agent Zero versions prior to 1.15 contain a stored cross-site scripting vulnerability in the image_get API endpoint. The endpoint serves user-accessible files without applying security headers including Content-Security-Policy, X-Content-Type-Options, or Content-Disposition. An attacker with filesystem access can place a crafted SVG file containing embedded JavaScript in any path readable by the agent-zer [truncated]
Agent Zero versions prior to 1.15 contain a path traversal vulnerability in the image file serving endpoint. The endpoint relies on an extension allowlist for security but has its path containment check explicitly disabled. This allows unauthenticated attackers to read arbitrary files readable by the process by supplying crafted paths with permitted image extensions. The vulnerability extends beyond the a [truncated]
