CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-42334
https://notcve.org/view.php?id=CVE-2023-42334
20 Sep 2023 — An Indirect Object Reference (IDOR) in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to escalate privileges via the user parameter. Una referencia de objeto indirecto (IDOR) en Fl3xx Dispatch 2.10.37 y fl3xx Crew 2.10.37 permite a un atacante remoto escalar privilegios a través del parámetro de usuario. • https://0xhunter20.medium.com/an-idor-lead-to-viewing-other-users-files-cve-2023-42334-702de328c453 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-42335
https://notcve.org/view.php?id=CVE-2023-42335
20 Sep 2023 — Unrestricted File Upload vulnerability in Fl3xx Dispatch 2.10.37 and fl3xx Crew 2.10.37 allows a remote attacker to execute arbitrary code via the add attachment function in the New Expense component. Vulnerabilidad de Carga de Archivos sin Restricciones en Fl3xx Dispatch 2.10.37 y fl3xx Crew 2.10.37 permite a un atacante remoto ejecutar código arbitrario a través de la función agregar archivos adjuntos en el componente New Expense. • https://0xhunter20.medium.com/how-i-found-unrestricted-file-upload-in-fl3xx-ios-app-cve-2023-42335-6b1a72da6d65 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40171 – Dispatch writes JWT tokens in error message
https://notcve.org/view.php?id=CVE-2023-40171
17 Aug 2023 — Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could b... • https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9299
https://notcve.org/view.php?id=CVE-2020-9299
09 Nov 2020 — There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user. Se detectaron y reportaron vulnerabilidades de tipo XSS en la aplicación Dispatch, que afectaron los parámetros name y description de Incident Priority, Incident Type, Tag Type, e Incident Filter. Esta vulnerabilidad puede ser explotada por un usuario... • https://github.com/Netflix/dispatch/releases/tag/v20201106 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9300
https://notcve.org/view.php?id=CVE-2020-9300
09 Nov 2020 — The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user. Los problemas de Control de Acceso incluyen permitir a un usuario normal visualizar un incidente restringido, ... • https://github.com/Netflix/dispatch/releases/tag/v20201106 •