CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18327
https://notcve.org/view.php?id=CVE-2020-18327
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2 Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Alfresco Community Edition versión v5.2.0, por medio del parámetro action en la API alfresco/s/admin/admin-nodebrowser. Corregido en versión v6.2 • https://gist.github.com/paatui/a3c7ca8cf12594b437d3854f13d76cb8 https://www.cvedetails.com/vulnerability-list/vendor_id-13372/product_id-27784/opxss-1/Alfresco-Alfresco.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-41792
https://notcve.org/view.php?id=CVE-2021-41792
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request is not available to the attacker, i.e., this is blind SSRF. Se ha detectado un problema en Hyland org.alfresco:alfresco-content-services versiones hasta 6.2.2.18 y org.alfresco:alfresco-transform-services versiones hasta 1.3. Un archivo HTML diseñado, una vez cargado, podría desencadenar una petición inesperada por parte del motor de transformación. • https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md https://www.themissinglink.com.au • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-41790
https://notcve.org/view.php?id=CVE-2021-41790
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment. Se ha detectado un problema en Hyland org.alfresco:alfresco-content-services versiones hasta 7.0.1.2. La ejecución de acciones de script permite ejecutar scripts cargados fuera del diccionario de datos. • https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md https://www.themissinglink.com.au •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8778 – Alfresco 5.2.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8778
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. Alfresco Enterprise versiones anteriores a 5.2.7 y Alfresco Community versiones anteriores a 6.2.0 (rb65251d6-b368), presentan una vulnerabilidad de tipo XSS por medio de un documento cargado, cuando el atacante posee acceso de escritura a un proyecto. Alfresco version 5.2.4 suffers from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/48162 http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html https://gitlab.com/snippets/1937042 https://issues.alfresco.com/jira/browse/ALF-22110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8777 – Alfresco 5.2.4 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8777
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. Alfresco Enterprise versiones anteriores a.2.7 y Alfresco Community versiones anteriores a 6.2.0 (rb65251d6-b368), presentan una vulnerabilidad de tipo XSS por medio de una foto de perfil de usuario, como es demostrado por medio de un elemento SCRIPT en un documento SVG. Alfresco version 5.2.4 suffers from multiple persistent cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/48162 http://packetstormsecurity.com/files/156599/Alfresco-5.2.4-Cross-Site-Scripting.html https://gitlab.com/snippets/1937042 https://issues.alfresco.com/jira/browse/ALF-22110 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •