http.sh/docs/sec-fixes/2024-12-15_notORM.md

2024-12-15 Possible pattern injection in notORM

Prior to commit a00b1b00ee, notORM was vulnerable to a pattern injection attack, which could potentially lead to privilege escalation through the account system.

The vulnerability arose due to an inconsistency with how certain versions of sed handle escaped hex characters (\xNN). GNU sed expands the escaped characters and treats them as a raw part of the pattern as long as Extended Regex (-E) mode is used. This behavior is not present within busybox sed, which is why it hasn't been caught before.