CVE-2024-1063
https://notcve.org/view.php?id=CVE-2024-1063
Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159. Appwrite <= v1.4.13 se ve afectada por Server-Side Request Forgery (SSRF) a través del endpoint '/v1/avatars/favicon' debido a una solución incompleta de CVE-2023-27159. • https://www.tenable.com/security/research/tra-2024-03 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-27159
https://notcve.org/view.php?id=CVE-2023-27159
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request. • http://appwrite.com https://gist.github.com/b33t1e/43b26c31e895baf7e7aea2dbf9743a9a https://gist.github.com/b33t1e/e9e8192317c111e7897e04d2f9bf5fdb https://github.com/appwrite/appwrite https://notes.sjtu.edu.cn/gMNlpByZSDiwrl9uZyHTKA • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-2925 – Cross-site Scripting (XSS) - Stored in appwrite/appwrite
https://notcve.org/view.php?id=CVE-2022-2925
Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio GitHub appwrite/appwrite versiones anteriores a 1.0.0-RC1 • https://github.com/appwrite/appwrite/commit/b5b4d92623c13fa8e5c71736db461e81fb7a7ade https://huntr.dev/bounties/a3b4148f-165f-4583-abed-5568696d99dc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-23682 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23682
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. Esto afecta al paquete litespeed.js versiones anteriores a 0.3.12; al paquete appwrite/server-ce desde versión 0.12.0 y anteriores a 0.12.2, anteriores a 0.11.1. Cuando es analizada la cadena de consulta en la función getJsonFromUrl, la clave que es establecida en el objeto resultante no es saneada apropiadamente, conllevando a una vulnerabilidad de Contaminación de Prototipos • https://github.com/appwrite/appwrite/pull/2778 https://github.com/appwrite/appwrite/releases/tag/0.11.1 https://github.com/appwrite/appwrite/releases/tag/0.12.2 https://github.com/litespeed-js/litespeed.js/pull/18 https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250 https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •