Announcement

These are fake vulnerabilities filed by a company that was attempting to sell services to Isomorphic.

In all 3 cases, the "vulnerabilities" reported are intentional functionality that, at deployment time, is enabled only for admins, and only if a customer specifically chooses to deploy it (see Tools Deployment).

So, essentially, it is as if someone reported that there is a vulnerability in the desktop installed version of Microsoft Word, because once installed, Microsoft Word can read and write files. Obviously, reading and writing files is what Microsoft Word is supposed to do, so reporting this as a vulnerability is completely absurd.

No legit security company would make such a report, or even become confused on this point. We did painstakingly explain to this company that the vulnerabilities were false and that we were not interested in purchasing their services, but they submitted them publicly anyway..

Please do not further feed the trolls, as, the best outcome here is that this company is never able to submit CVE reports again.

Can you please confirm if your previously stated response for these CVEs are still applicable in the latest version of the product?

Yes, these continue to be fake vulnerabilities reported by scam artists, not of any concern to anyone.

Thanks for the confirmation :-)