CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26580 – Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-26580
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673 Vulnerabilidad de deserialización de datos no confiables en Apache InLong. Este problema afecta a Apache InLong: desde 1.8.0 hasta 1.10.0, los atacantes pueden usar el payload específica para leer desde un archivo arbitrario. Se recomienda a los usuarios actualizar a Apache InLong 1.11.0 o seleccionar [1] para resolverlo. [1] https://github.com/apache/inlong/pull/9673 • http://www.openwall.com/lists/oss-security/2024/03/06/1 https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27138 – Apache Archiva: disabling user registration is not effective
https://notcve.org/view.php?id=CVE-2024-27138
Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer Vulnerabilidad de autorización incorrecta en Apache Archiva. Apache Archiva tiene una configuración para deshabilitar el registro de usuarios; sin embargo, esta restricción se puede evitar. Como Apache Archiva ha sido retirado, no esperamos lanzar una versión de Apache Archiva que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/4 https://lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27139 – Apache Archiva: incorrect authentication potentially leading to account takeover
https://notcve.org/view.php?id=CVE-2024-27139
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de autorización incorrecta en Apache Archiva: una vulnerabilidad en Apache Archiva permite que un atacante no autenticado modifique los datos de la cuenta, lo que podría llevar a la apropiación de la cuenta. Este problema afecta a Apache Archiva: desde 2.0.0. Como este proyecto está retirado, no planeamos lanzar una versión que solucione este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/3 https://lists.apache.org/thread/qr8b7r86p1hkn0dc0q827s981kf1bgd8 • CWE-863: Incorrect Authorization •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27140 – Apache Archiva: reflected XSS
https://notcve.org/view.php?id=CVE-2024-27140
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Apache Archiva. Este problema afecta a Apache Archiva: desde 2.0.0. • http://www.openwall.com/lists/oss-security/2024/03/01/2 https://lists.apache.org/thread/xrn6nt904ozh3jym60c3f5hj2fb75pjy • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50378 – Apache Ambari: Various XSS problems
https://notcve.org/view.php?id=CVE-2023-50378
Lack of proper input validation and constraint enforcement in Apache Ambari prior to 2.7.8 Impact : As it will be stored XSS, Could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads. Users are recommended to upgrade to version 2.7.8 which fixes this issue. Falta de validación de entrada adecuada y aplicación de restricciones en Apache Ambari antes de 2.7.8 Impacto: como se almacenará XSS, podría explotarse para realizar acciones no autorizadas, que van desde el acceso a datos hasta el secuestro de sesiones y la entrega de payloads maliciosos. Se recomienda a los usuarios actualizar a la versión 2.7.8, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/03/01/5 https://lists.apache.org/thread/6hn0thq743vz9gh283s2d87wz8tqh37c • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •