CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2018-15798 – Pivotal Concourse allows malicious redirect urls on login
https://notcve.org/view.php?id=CVE-2018-15798
Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse. Pivotal Concourse Release, en versiones 4.x anteriores a la 4.2.2, el flujo de inicio de sesión permite las redirecciones a sitios web no fiables. Un atacante remoto no autenticado podría convencer a un usuario para que haga clic en un enlace mediante el enlace oAuth de redirección en un sitio web no fiable y obtener acceso al token de acceso de dicho usuario en Concourse. • https://pivotal.io/security/cve-2018-15798 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1227
https://notcve.org/view.php?id=CVE-2018-1227
Pivotal Concourse after 2018-03-05 might allow remote attackers to have an unspecified impact, if a customer obtained the Concourse software from a DNS domain that is no longer controlled by Pivotal. The original domain for the Concourse CI (concourse-dot-ci) open source project has been registered by an unknown actor, and is therefore no longer the official website for Concourse CI. The new official domain is concourse-ci.org. At approximately 4 am EDT on March 7, 2018 the Concourse OSS team began receiving reports that the Concourse domain was not responding. The Concourse OSS team discovered, upon investigation with both the original and the new domain registrars, that the originating domain registrar had made the domain available for purchase. • https://pivotal.io/security/cve-2018-1227 •