in-toto is vulnerable to External Control of Configuration. The vulnerability exists due to the insecure implementation of the user_settings
module, which allows an attacker to write configuration from the local directory and mask their activities by passing a maliciously crafted .in_totorc
file, including necessary exclude patterns and settings.