CVSS: 7.7EPSS: 93%CPEs: 1EXPL: 2CVE-2021-21234 – Directory Traversal
https://notcve.org/view.php?id=CVE-2021-21234
05 Jan 2021 — spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. • https://github.com/xiaojiangxl/CVE-2021-21234 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12881
https://notcve.org/view.php?id=CVE-2017-12881
18 Aug 2017 — Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Spring Batch Admin en versiones anteriores a la 1.3.0 permite a los atacantes remotos interceptar la autenticación de víctimas sin especificar y enviar peticiones arbitrarias como la explotación de la vul... • http://www.openwall.com/lists/oss-security/2017/08/16/5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12882
https://notcve.org/view.php?id=CVE-2017-12882
18 Aug 2017 — Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality. Una vulnerabilidad de tipo Stored Cross-Site Scripting (XSS) en Spring Batch Admin en versiones anteriores a la 1.3.0 permite a los usuarios autenticados remotos inyectar código JavaScript o HTML arbitrario a través de la función de subida de archivos. • http://www.openwall.com/lists/oss-security/2017/08/16/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •