SNS
lin-snow/Ech0
Ech0 – An open-source, self-hosted lightweight publishing platform for personal idea sharing.
#go#markdown#memo#self-hosted#social-network#sqlite3#vue#ech0#golang#microblog#notecard#sqlite#vue3
スコア
60
/ 100
Star
1,973
Fork
151
Open Issue
2
サイズ
106MB
言語
Go
最終push
0 日前
Docker
—
採点内訳
過去CVE 3件 (適量)
✓直近 push: 0 日前
✓得意言語 (Go)
—オープンissue 2件
—大規模 (106MB)
—Docker 未対応
—1k–10k: 初心者ベスト (★1,973)
✓※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。
過去の SecurityAdvisory (18 件)
- Access tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI
- OAuth redirect URI validation ignores path component, enables exchange-code theft
- Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo
- PUT /api/echo/like/:id unauthenticated: anonymous callers modify any echo's fav_count
- Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation
- RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers
- Comment model's Email field returned on public /api/comments endpoints
- Authorization bypass on admin endpoints and /ws/system/logs — session tokens skip RequireScopes
- Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload
- SSRF via DNS Resolution Bypass in Webhook URL Validation
- Missing Authorization on System Logs Allows Non-Admin Information Disclosure
- Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
- Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
- Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs
- Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export
- Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
- Unauthenticated Server-Side Request Forgery in Website Preview Feature
- Authenticated user-list exposed data via public `/api/allusers` endpoint