Changelog
Fixed a security issue:
Missing store ownership check when a player modifies a user's store permissions using the /qs permission command. This allows the user to take over arbitrary store permissions, including the administrator store.
This patch will not revoke permissions, you will need to do a check on the store's already set Per-player permissions property to avoid pre-existing exploits. For past versions, you can disable the command interface for the per-player permission system to avoid new exploits /lp group default permission set quickshop.permission false. However, upgrading is still recommended.
Considering that this security vulnerability allows for store privilege escalation (including unlimited stores, aka AdminShop) and allows for the modification of store transaction contents, prices, and disruption of the server's economic system, we strongly recommend that you plan an update immediately and utilize LuckPerms through the guide to disable this feature before you maintain it.
Dependencies
Files
90% of ad revenue goes to creators
Support creators and Modrinth ad-free with Modrinth+Metadata
Release channel
ReleaseVersion number
5.2.0.10Loaders
Game versions
1.18.2–1.20.4Downloads
521Publication date
January 3, 2024 at 9:33 AMPublisher
Ghost_chu
Owner