ShellHub versions prior to 0.24.2 contain an input validation vulnerability in the device list endpoint. The endpoint accepts user-controlled identifiers in the `name` field of filter properties within a base64-encoded `filter` query parameter, as well as in the `sort_by` query parameter. These values are passed directly as BSON/SQL keys to the database layer without validation. Any authenticated user can [truncated]
ShellHub versions prior to 0.24.2 contain an authorization bypass vulnerability in the device metadata retrieval endpoint. The GET /api/devices/:uid endpoint returns complete device objects to any authenticated caller without validating namespace (tenant) ownership. An attacker with valid credentials—whether via JWT or API key—can enumerate or guess device UIDs to exfiltrate metadata from devices belongin [truncated]
