The latest version of the fix has problems, and there are still vulnerabilities that can cause arbitrary code execution #262
Description
According to https://securitylab.github.com/advisories/GHSL-2021-064-netflix-ndbench we know the Loophole principle and repair method,but this vulnerability is not just because of cross-domain issues,the initfromscript endpoint is capable of unauthorized access.The new version does protect against cross-domain attacks,but instead of using cross-domain attacks, we can access and pass the execution of malicious code directly, which is more direct and does not require user interaction.I have successfully exploited this vulnerability.
I think the best way to fix the bug is restricts access to this endpoint or do some security filtering on user input.
If you need POC, you can leave an email and I will send it to you. I sincerely hope that you can help me apply for a CVE number. Thank you!
