CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28175 – Cross-site scripting on application summary component in argo-cd
https://notcve.org/view.php?id=CVE-2024-28175
13 Mar 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will e... • https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-22424 – Cross-Site Request Forgery (CSRF) in github.com/argoproj/argo-cd
https://notcve.org/view.php?id=CVE-2024-22424
19 Jan 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD use... • https://github.com/argoproj/argo-cd/issues/2496 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2023-40025 – Argo CD web terminal session doesn't expire
https://notcve.org/view.php?id=CVE-2023-40025
23 Aug 2023 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting from version 2.6.0 have a bug where open web terminal sessions do not expire. This bug allows users to send any websocket messages even if the token has already expired. The most straightforward scenario is when a user opens the terminal view and leaves it open for an extended period. This allows the user to view sensitive information even when they should have been logged out already. • https://github.com/argoproj/argo-cd/commit/e047efa8f9518c54d00d2e4493b64bc4dba98478 • CWE-613: Insufficient Session Expiration •