CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21949 – Multiple XXE vulnerabilities in OBS
https://notcve.org/view.php?id=CVE-2022-21949
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13. Una vulnerabilidad de Restricción Inapropiada de Referencia a Entidades externas XML en SUSE Open Build Service permite a atacantes remotos hacer referencia a entidades externas en determinadas operaciones. Esto puede ser usado para conseguir información del servidor que puede ser abusada para escalar a privilegios de administrador en OBS. • https://bugzilla.suse.com/show_bug.cgi?id=1197928 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36777 – login-proxy sends password to attacker-provided domain
https://notcve.org/view.php?id=CVE-2021-36777
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef. Una vulnerabilidad Reliance on Untrusted Inputs in a Security Decision en el proxy de inicio de sesión del servicio openSUSE Build permitía a los atacantes presentar a los usuarios un formulario de inicio de sesión esperado que luego enviaba las credenciales en texto claro a un servidor especificado por el atacante. Este problema afecta a: openSUSE Build service login-proxy-scripts versiones anteriores a dc000cdfe9b9b715fb92195b1a57559362f689ef • https://bugzilla.suse.com/show_bug.cgi?id=1191209 • CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8031 – obs: Stored XSS
https://notcve.org/view.php?id=CVE-2020-8031
A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8. Una vulnerabilidad de neutralización Inapropiada de la entrada Durante la Generación de Páginas Web ("Cross-site Scripting") en Open Build Service permite a atacantes remotos almacenar código JS en rebajas que no se escapan correctamente, lo que afecta la confidencialidad e integridad. Este problema afecta a: Open Build Service versiones anteriores a 2.10.8 • https://bugzilla.suse.com/show_bug.cgi?id=1178880 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2020-8021 – unauthorized read access to files where sourceaccess is disabled via a crafted _service file in Open Build Service
https://notcve.org/view.php?id=CVE-2020-8021
a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5. Una vulnerabilidad de control de acceso inapropiado en Open Build Service permite a atacantes remotos leer archivos de un paquete OBS donde el sourceaccess/access está deshabilitado. Este problema afecta: Open Build Service versiones anteriores a 2.10.5. • https://bugzilla.suse.com/show_bug.cgi?id=1171649 https://lists.debian.org/debian-lts-announce/2021/02/msg00006.html • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8020 – Persistent XSS in markdown parser used by obs-server
https://notcve.org/view.php?id=CVE-2020-8020
A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. Una vulnerabilidad de Neutralización Inapropiada de Entrada Durante la Generación de una Página Web en open-build-service, permite a atacantes remotos almacenar código JS arbitrario para causar un ataque de tipo XSS. Este problema afecta: openSUSE open-build-service versiones anteriores a 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. • https://bugzilla.suse.com/show_bug.cgi?id=1171439 https://lists.debian.org/debian-lts-announce/2021/02/msg00006.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •