Page 27 of 203 results (0.004 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-27138 – Apache Archiva: disabling user registration is not effective

https://notcve.org/view.php?id=CVE-2024-27138

Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Vulnerabilidad de autorización incorrecta en Apache Archiva. Apache Archiva tiene una configuración para deshabilitar el registro de usuarios; sin embargo, esta restricción se puede evitar. Como Apache Archiva ha sido retirado, no esperamos lanzar una versión de Apache Archiva que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/4 https://lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2 • CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-27139 – Apache Archiva: incorrect authentication potentially leading to account takeover

https://notcve.org/view.php?id=CVE-2024-27139

Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Archiva: una vulnerabilidad en Apache Archiva permite que un atacante no autenticado modifique los datos de la cuenta, lo que podría llevar a la apropiación de la cuenta. Este problema afecta a Apache Archiva: desde 2.0.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/3 https://lists.apache.org/thread/qr8b7r86p1hkn0dc0q827s981kf1bgd8 • CWE-863: Incorrect Authorization •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-27140 – Apache Archiva: reflected XSS

https://notcve.org/view.php?id=CVE-2024-27140

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Apache Archiva. Este problema afecta a Apache Archiva: desde 2.0.0. • http://www.openwall.com/lists/oss-security/2024/03/01/2 https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-50378 – Apache Ambari: Various XSS problems

https://notcve.org/view.php?id=CVE-2023-50378

Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8    Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no autorizadas, que van desde el acceso a datos hasta el secuestro de sesiones y la entrega de payloads maliciosos. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/5 https://lists.apache.org/thread/6hn0thq743vz9gh283s2d87wz8tqh37c • CWE-20: Improper Input Validation •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-26280 – Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs)

https://notcve.org/view.php?id=CVE-2024-26280

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability Apache Airflow, versiones anteriores a la 2.8.2, tiene una vulnerabilidad que permite a los usuarios autenticados de Ops y Viewers ver toda la información en los registros de auditoría, incluidos los nombres de dag y los nombres de usuario que no tenían permiso para ver. Con 2.8.2 y versiones posteriores, los usuarios de Ops y Viewer no tienen permiso de registro de auditoría de forma predeterminada; se les debe otorgar permisos explícitamente para ver los registros. De forma predeterminada, solo los usuarios administradores tienen permiso de registro de auditoría. • http://www.openwall.com/lists/oss-security/2024/03/01/1 https://github.com/apache/airflow/pull/37501 https://lists.apache.org/thread/knskxxxml95091rsnpxkpo1jjp8rj0fh • CWE-276: Incorrect Default Permissions •