CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7565 – SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-7565
SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://www.soapui.org/downloads/latest-release/release-notes https://www.zerodayinitiative.com/advisories/ZDI-24-1100 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 5%CPEs: 1EXPL: 0CVE-2024-22207 – Default swagger-ui configuration exposes all files in the module
https://notcve.org/view.php?id=CVE-2024-22207
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability. fastify-swagger-ui es un complemento de Fastify para servir la interfaz de usuario de Swagger. Antes de 2.1.0, la configuración predeterminada de `@fastify/swagger-ui` sin `baseDir` configurado hará que todos los archivos en el directorio del módulo queden expuestos a través de rutas http servidas por el módulo. • https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7 https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4 https://security.netapp.com/advisory/ntap-20240216-0002 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22891
https://notcve.org/view.php?id=CVE-2023-22891
There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts. • https://smartbear.com/security/cve • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22892
https://notcve.org/view.php?id=CVE-2023-22892
There exists an information disclosure vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by unauthenticated users to read arbitrary files from Zephyr instances. • https://smartbear.com/security/cve • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22889
https://notcve.org/view.php?id=CVE-2023-22889
SmartBear Zephyr Enterprise through 7.15.0 mishandles user-defined input during report generation. This could lead to remote code execution by unauthenticated users. • https://smartbear.com/security/cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •