CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-27219
https://notcve.org/view.php?id=CVE-2020-27219
In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client. En todas las versiones de Eclipse Hawkbit anteriores a 0.3.0M7, el cuerpo de respuesta JSON HTTP 404 (No Found) devuelto mediante la API REST puede contener caracteres no seguros dentro del atributo de ruta. El envío de una petición POST a un recurso no existente devolverá la ruta completa desde la URL dada sin escapar al cliente • https://bugs.eclipse.org/bugs/show_bug.cgi?id=570289 https://github.com/eclipse/hawkbit/issues/1067 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10240
https://notcve.org/view.php?id=CVE-2019-10240
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected. Eclipse hawkBit, en versiones anteriores a la 0.3.0M2, resolvía los artefactos de construcción en Maven para la interfaz de usuario basada en Vaadin mediante HTTP en lugar de HTTPS. Cualquiera de estos artefactos dependientes podría haber sido comprometidos maliciosamente por un ataque Man-in-the-Middle (MitM). • https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053 • CWE-319: Cleartext Transmission of Sensitive Information CWE-494: Download of Code Without Integrity Check CWE-829: Inclusion of Functionality from Untrusted Control Sphere •