CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-35507
https://notcve.org/view.php?id=CVE-2022-35507
A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3. Una vulnerabilidad de inyección CRLF de encabezado de respuesta en la interfaz web Proxmox Virtual Environment (PVE) y Proxmox Mail Gateway (PMG) permite a un atacante remoto configurar cookies para el navegador de una víctima que son más largas de lo que espera el servidor, lo que provoca un DoS del lado del cliente. Esto afecta a los navegadores basados en Chromium porque permiten la inyección de encabezados de respuesta con %0d. • https://git.proxmox.com/?p=pve-http-server.git%3Ba=commitdiff%3Bh=936007ae0241811093155000486da171379c23c2 https://starlabs.sg/blog/2022/12-multiple-vulnerabilites-in-proxmox-ve--proxmox-mail-gateway • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4156
https://notcve.org/view.php?id=CVE-2014-4156
Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerability Proxmox VE versiones anteriores a 3.2: Vulnerabilidad de Enumeración de Usuario de "AccessControl.pm". • http://www.openwall.com/lists/oss-security/2014/06/17/16 http://www.securityfocus.com/bid/68028 • CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9058
https://notcve.org/view.php?id=CVE-2015-9058
Open redirect vulnerability in Proxmox Mail Gateway prior to hotfix 4.0-8-097d26a9 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. La vulnerabilidad de redirección abierta en Proxmox Mail Gateway anteriores a la versión4.0-8-097d26a9 permite a atacantes remotos redirigir a los usuarios a sitios web arbitrarios y realizar ataques de phishing a través del parámetro destination. • https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-024/?fid=7431 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9057
https://notcve.org/view.php?id=CVE-2015-9057
Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Gateway prior to hotfix 4.0-8-097d26a9 allow remote attackers to inject arbitrary web script or HTML via multiple parameters, related to /users/index.htm, /quarantine/spam/manage.htm, /quarantine/spam/whitelist.htm, /queues/mail/index/, /system/ssh.htm, /queues/mail/?domain=, and /quarantine/virus/manage.htm. Múltiples vulnerabilidades de XSS en Proxmox Mail Gateway anterior al hotfix 4.0-8-097d26a9 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de múltiples parámetros, relacionado con /users/index.htm, /quarantine/spam/manage.htm, /quarantine/spam/whitelist.htm, /queues/mail/index/, /system/ssh.htm, /queues/mail/?domain=, y /quarantine/virus/manage.htm. • https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-024/?fid=7431 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2CVE-2014-2325
https://notcve.org/view.php?id=CVE-2014-2325
Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail Gateway before 3.1-5829 allow remote attackers to inject arbitrary web script or HTML via the (1) state parameter to objects/who/index.htm or (2) User email address to quarantine/spam/manage.htm. Múltiples vulnerabilidades de XSS en Proxmox Mail Gateway anterior a 3.1-5829 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro state hacia objects/who/index.htm o (2) dirección de email de usuario hacia quarantine/spam/manage.htm. • http://proxmox.com/news/archive/view/listid-1-proxmox-newsletter/mailid-48-proxmox-newsletter-march-2014-proxmox-ve-3-2-released/tmpl-component http://seclists.org/fulldisclosure/2014/Mar/110 http://www.securityfocus.com/bid/66169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •