Filtered by vendor Mitre
Subscriptions
Filtered by product Caldera
Subscriptions
Total
13 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-19907 | 1 Mitre | 1 Caldera | 2024-08-04 | 8.8 High |
| A command injection vulnerability in the sandcat plugin of Caldera 2.3.1 and earlier allows authenticated attackers to execute any command or service. | ||||
| CVE-2020-14462 | 1 Mitre | 1 Caldera | 2024-08-04 | 5.4 Medium |
| CALDERA 2.7.0 allows XSS via the Operation Name box. | ||||
| CVE-2020-10807 | 1 Mitre | 1 Caldera | 2024-08-04 | 5.3 Medium |
| auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header. | ||||
| CVE-2021-42561 | 1 Mitre | 1 Caldera | 2024-08-04 | 8.8 High |
| An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands. | ||||
| CVE-2021-42562 | 1 Mitre | 1 Caldera | 2024-08-04 | 8.1 High |
| An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users. | ||||
| CVE-2021-42559 | 1 Mitre | 1 Caldera | 2024-08-04 | 8.8 High |
| An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted. | ||||
| CVE-2021-42560 | 1 Mitre | 1 Caldera | 2024-08-04 | 8.8 High |
| An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.). | ||||
| CVE-2021-42558 | 1 Mitre | 1 Caldera | 2024-08-04 | 6.1 Medium |
| An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers. | ||||
| CVE-2022-41139 | 1 Mitre | 1 Caldera | 2024-08-03 | 5.4 Medium |
| MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents. | ||||
| CVE-2022-40606 | 1 Mitre | 1 Caldera | 2024-08-03 | 6.1 Medium |
| MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605. | ||||
| CVE-2022-40605 | 1 Mitre | 1 Caldera | 2024-08-03 | 6.1 Medium |
| MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606. | ||||
| CVE-2023-51792 | 1 Mitre | 1 Caldera | 2024-08-02 | 3.3 Low |
| Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000. | ||||
| CVE-2024-22856 | 1 Mitre | 1 Caldera | 2024-08-01 | 0 Low |
| A SQL injection vulnerability via the Save Favorite Search function in Axefinance Axe Credit Portal >= v.3.0 allows authenticated attackers to execute unintended queries and disclose sensitive information from DB tables via crafted requests. | ||||
Page 1 of 1.