CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33616
https://notcve.org/view.php?id=CVE-2021-33616
RSA Archer 6.x through 6.9 SP1 P4 (6.9.1.4) allows stored XSS. RSA Archer versiones 6.x hasta 6.9 SP1 P4 (6.9.1.4) permite un ataque de tipo XSS almacenado • https://community.rsa.com/t5/archer-product-advisories/tkb-p/archer-product-advisories https://github.com/fireeye/Vulnerability-Disclosures https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0020/MNDT-2022-0020.md https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38362
https://notcve.org/view.php?id=CVE-2021-38362
In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data. En RSA Archer versiones 6.x hasta 6.9 SP3 (6.9.3.0), un atacante autenticado puede hacer una petición GET a un endpoint de la API REST que es vulnerable a un problema de Referencia Directa a Objetos Insegura (IDOR) y recuperar datos confidenciales • https://github.com/fireeye/Vulnerability-Disclosures https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0021/MNDT-2022-0021.md https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41594
https://notcve.org/view.php?id=CVE-2021-41594
In RSA Archer 6.9.SP1 P3, if some application functions are precluded by the Administrator, this can be bypassed by intercepting the API request at the /api/V2/internal/TaskPermissions/CheckTaskAccess endpoint. If the parameters of this request are replaced with empty fields, the attacker achieves access to the precluded functions. En RSA Archer versión 6.9.SP1 P3, si algunas funciones de la aplicación son excluidas por el Administrador, esto puede ser evitado al interceptar la petición de la API en el endpoint /api/V2/internal/TaskPermissions/CheckTaskAccess. Si son sustituidos los parámetros de esta petición por campos vacíos, el atacante consigue acceder a las funciones excluidas • https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497 https://www.rsa.com/en-us/company/vulnerability-response-policy •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26951
https://notcve.org/view.php?id=CVE-2022-26951
Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability. A remote SAML-unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application. Archer 6.x hasta 6.10 (6.10.0.0) contiene una vulnerabilidad de tipo XSS reflejada. Un usuario remoto de Archer no autenticado podría explotar esta vulnerabilidad al engañar a un usuario de la aplicación víctima para que suministre código HTML o JavaScript malicioso a la aplicación web vulnerable; el código malicioso es reflejado entonces en la víctima y es ejecutado por el navegador web en el contexto de la aplicación web vulnerable • https://www.archerirm.community/t5/general-support-information/tkb-p/information-support https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26950
https://notcve.org/view.php?id=CVE-2022-26950
Archer 6.x through 6.9 P2 (6.9.0.2) is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred. Archer versiones 6.x hasta 6.9 P2 (6.9.0.2) está afectado por una vulnerabilidad de redireccionamiento abierto. Un atacante remoto no privilegiado puede potencialmente redirigir a usuarios legítimos a sitios web arbitrarios y realizar ataques de phishing. • https://www.archerirm.community/t5/general-support-information/tkb-p/information-support https://www.archerirm.community/t5/security-advisories/archer-an-rsa-business-update-for-multiple-vulnerabilities/ta-p/674497 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •