CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22270 – Stored XSS in CyberArk Endpoint Privilege Manager
https://notcve.org/view.php?id=CVE-2025-22270
28 Feb 2025 — An attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. It should be noted, however, that the risk of exploiting vulnerability is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is un... • https://cert.pl/en/posts/2025/02/CVE-2025-22270 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54840
https://notcve.org/view.php?id=CVE-2024-54840
03 Feb 2025 — PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. • https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes • CWE-348: Use of Less Trusted Source •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57967
https://notcve.org/view.php?id=CVE-2024-57967
03 Feb 2025 — PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. • https://docs.cyberark.com/pam-self-hosted/latest/en/content/release%20notes/rn-whatsnew14-4.htm#Securitybugfixes • CWE-266: Incorrect Privilege Assignment •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42340 – CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
https://notcve.org/view.php?id=CVE-2024-42340
25 Aug 2024 — CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42339 – CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2024-42339
25 Aug 2024 — CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42338 – CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2024-42338
25 Aug 2024 — CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42337 – CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2024-42337
25 Aug 2024 — CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor • https://www.gov.il/en/Departments/faq/cve_advisories • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11197 – CyberArk Viewfinity 5.5.10.95 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-11197
03 May 2023 — In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the "add printer" option. • https://www.exploit-db.com/exploits/42319 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-22700
https://notcve.org/view.php?id=CVE-2022-22700
03 Mar 2022 — CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant. CyberArk Identity versiones hasta la 22.1 incluyéndola, en el recurso "StartAuthentication", exponen el encabezado de respuesta "X-CFY-TX-TM". En determinadas configuraciones, ese encabezado de respuesta contiene dife... • https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/ReleaseNotes-Latest.htm • CWE-330: Use of Insufficiently Random Values •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-44049
https://notcve.org/view.php?id=CVE-2021-44049
15 Jan 2022 — CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 2021-12-20 allows a local user to gain elevated privileges via a Trojan horse Procmon64.exe in the user's Temp directory. CyberArk Endpoint Privilege Manager (EPM) versiones hasta 11.5.3.328 anteriores a 20-12-2021, permite a un usuario local alcanzar privilegios elevados por medio de un troyano Procmon64.exe en el directorio Temp del usuario • https://docs.cyberark.com/Product-Doc/OnlineHelp/EPM-onprem/Latest/en/Content/Release%20Notes/RN-WhatsNew.htm • CWE-668: Exposure of Resource to Wrong Sphere •