CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22207 – Default swagger-ui configuration exposes all files in the module
https://notcve.org/view.php?id=CVE-2024-22207
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability. fastify-swagger-ui es un complemento de Fastify para servir la interfaz de usuario de Swagger. Antes de 2.1.0, la configuración predeterminada de `@fastify/swagger-ui` sin `baseDir` configurado hará que todos los archivos en el directorio del módulo queden expuestos a través de rutas http servidas por el módulo. • https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7 https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4 https://security.netapp.com/advisory/ntap-20240216-0002 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22889
https://notcve.org/view.php?id=CVE-2023-22889
SmartBear Zephyr Enterprise through 7.15.0 mishandles user-defined input during report generation. This could lead to remote code execution by unauthenticated users. • https://smartbear.com/security/cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22891
https://notcve.org/view.php?id=CVE-2023-22891
There exists a privilege escalation vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by authorized users to reset passwords for other accounts. • https://smartbear.com/security/cve • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22890
https://notcve.org/view.php?id=CVE-2023-22890
SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition. • https://smartbear.com/security/cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22892
https://notcve.org/view.php?id=CVE-2023-22892
There exists an information disclosure vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by unauthenticated users to read arbitrary files from Zephyr instances. • https://smartbear.com/security/cve • CWE-668: Exposure of Resource to Wrong Sphere •