CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43706
https://notcve.org/view.php?id=CVE-2022-43706
05 Dec 2022 — Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users. La vulnerabilidad de Cross-Site Scripting (XSS) en la interfaz de usuario web de las versiones de StackStorm anteriores a la 3.8.0 permitía a los usuarios registrados con acceso de escritura para empaquetar reglas para inyectar scripts arbitrarios o HTML que pueden ejec... • https://stackstorm.com/2022/12/v3-8-0-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44009
https://notcve.org/view.php?id=CVE-2022-44009
05 Dec 2022 — Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information. El control de acceso inadecuado en RBAC de valor clave en StackStorm versión 3.7.0 no verificó los permisos en los filtros Jinja, lo que permitió a los atacantes acceder a pares K/V de otros usuarios, lo que podría provocar la exposición de información confidencial. • https://stackstorm.com/2022/12/v3-8-0-released • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2021-44657
https://notcve.org/view.php?id=CVE-2021-44657
15 Dec 2021 — In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default. En StackStorm versiones anteriores a 3.6.0, el intérprete de jinja no se ejecutaba en modo sandbox y, por tanto, permitía una ejecución de comandos del sistema no seguros. Jinja no habilita el modo sandbox por defecto debido a la com... • https://github.com/StackStorm/st2/pull/5359 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28667
https://notcve.org/view.php?id=CVE-2021-28667
18 Mar 2021 — StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name). StackStorm versiones anteriores a 3.4.1, en algunas situaciones, presenta un bucle infinito que consume toda la memoria disponible y el espacio en disco. Esto puede ocurrir si se usa Python versión 3.x, la configuración regional no es utf-8 y se intent... • https://stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-9580
https://notcve.org/view.php?id=CVE-2019-9580
09 Mar 2019 — In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS. En st2web, en la UI de StackStorm Web, en versiones anteriores a la la 2.9.3 y en las 2.10.x anteriores a la 2.10.3, es posible omitir el mecanismo de protección CORS mediante un valor de origen "nulo", conduciendo, potencialmente, a Cross-Site Scripting (XSS). • https://github.com/mpgn/CVE-2019-9580 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20345
https://notcve.org/view.php?id=CVE-2018-20345
21 Dec 2018 — Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=