Script Injection Vulnerability

This has broken the game Lava Tumble. Backpack objects were used as a kind of organizational unit. This was done long before the folder object became a thing. You should know that this change is not backward compatible. This breaking change could stand to be made more visible.

1 Like

We are adding a setting to see all objects in the Explorer which will enable you to do this.

6 Likes

I’ve been trying to find out why there was zero setting for this. I remember before there being an option to see every service, regardless of being able to even edit or rename it. Hopefully this comes soon, I’ve accidently been using a backdoor plugin for a long time, and I believe studio should just automatically clear all the children in the still invisible CSGService service. Knowing that it’s already patched from using scripts on backpacks, the file is still there and useless.

We considered automatically removing unexpected children from CSGDictionaryService but decided against it because it might not have been the only container affected and once the patch went out, those instances do no harm.

Thank you for the heads up! I’ve recently been using plugins; luckily I never come across the issue, appreciate you looking into the vulnerability and making us all aware.

2 Likes