CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-3432 – Server-Side Request Forgery (SSRF) in plantuml/plantuml
https://notcve.org/view.php?id=CVE-2023-3432
Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9. • https://github.com/plantuml/plantuml/commit/b32500bb61ae617bb312496d6d832e4be8190797 https://huntr.dev/bounties/8ac3316f-431c-468d-87e4-3dafff2ecf51 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FV7XL3CY3K3K5ER3ASMEQA546MIQQ7QM • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-3431 – Improper Access Control in plantuml/plantuml
https://notcve.org/view.php?id=CVE-2023-3431
Improper Access Control in GitHub repository plantuml/plantuml prior to 1.2023.9. • https://github.com/plantuml/plantuml/commit/fbe7fa3b25b4c887d83927cffb1009ec6cb8ab1e https://huntr.dev/bounties/fa741f95-b53c-4ed7-b157-e32c5145164c https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FV7XL3CY3K3K5ER3ASMEQA546MIQQ7QM • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1379 – URL Restriction Bypass in plantuml/plantuml
https://notcve.org/view.php?id=CVE-2022-1379
URL Restriction Bypass in GitHub repository plantuml/plantuml prior to V1.2022.5. An attacker can abuse this to bypass URL restrictions that are imposed by the different security profiles and achieve server side request forgery (SSRF). This allows accessing restricted internal resources/servers or sending requests to third party servers. Una Omisión de Restricciones de URL en el repositorio de GitHub plantuml/plantuml versiones anteriores a V1.2022.5. Un atacante puede abusar de esto para omitir las restricciones de URL impuestas por los diferentes perfiles de seguridad y lograr un ataque de tipo server side request forgery (SSRF). • https://github.com/plantuml/plantuml/commit/93e5964e5f35914f3f7b89de620c596795550083 https://huntr.dev/bounties/0d737527-86e1-41d1-9d37-b2de36bc063a https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHUE4G5CAJUD7L2QPJF6U4JYQTP7CNNL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4DP36G2VBOZUNQIUZ5LVJKZIVO4SDAI • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1231 – XSS via Embedded SVG in SVG Diagram Format in plantuml/plantuml
https://notcve.org/view.php?id=CVE-2022-1231
XSS via Embedded SVG in SVG Diagram Format in GitHub repository plantuml/plantuml prior to 1.2022.4. Stored XSS in the context of the diagram embedder. Depending on the actual context, this ranges from stealing secrets to account hijacking or even to code execution for example in desktop applications. Web based applications are the ones most affected. Since the SVG format allows clickable links in diagrams, it is commonly used in plugins for web based projects (like the Confluence plugin, etc. see https://plantuml.com/de/running). • https://github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903 https://huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EO26WBHQRMWTS44M5VLZJIJZOIGJYL3A https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FQMHXN5BVBK433C5SVSSBXWB5JLJ7NID • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •