CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 0CVE-2022-23734 – Deserialization of Untrusted Data vulnerability in GitHub Enterprise Server leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-23734
A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerability affected all versions of GitHub Enterprise Server prior to v3.6 and was fixed in versions 3.5.3, 3.4.6, 3.3.11, and 3.2.16. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vulnerabilidad de deserialización de datos no fiables en GitHub Enterprise Server que podría conllevar la ejecución de código remota en el SVNBridge. • https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.16 https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.11 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.6 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.3 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23733 – Stored XSS vulnerability in GitHub Enterprise Server leading to injection of arbitrary attributes
https://notcve.org/view.php?id=CVE-2022-23733
A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de tipo XSS almacenado en GitHub Enterprise Server que permitía la inyección de atributos arbitrarios. • https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.11 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.6 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23732 – Path traversal in GitHub Enterprise Server management console leading to a bypass of CSRF protections
https://notcve.org/view.php?id=CVE-2022-23732
A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program. • https://docs.github.com/en/enterprise-server%403.1/admin/release-notes#3.1.19 https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.11 https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.6 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 46EXPL: 0CVE-2020-9523
https://notcve.org/view.php?id=CVE-2020-9523
Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server, affecting all version prior to 4.0 Patch Update 16, and version 5.0 Patch Update 6. The vulnerability could allow an attacker to transmit hashed credentials for the user account running the Micro Focus Directory Server (MFDS) to an arbitrary site, compromising that account's security. Una vulnerabilidad de credenciales insuficientemente protegidas en el desarrollador empresarial y el servidor empresarial de Micro Focus, afectando a todas las versiones anteriores a 4.0 Patch Update 16, y versión 5.0 Patch Update 6. La vulnerabilidad podría permitir a un atacante transmitir credenciales del hash para la cuenta de usuario que ejecuta el Micro Focus Directory Server (MFDS) en un sitio arbitrario, comprometiendo la seguridad de esa cuenta. • https://softwaresupport.softwaregrp.com/doc/KM03634936 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 68EXPL: 0CVE-2019-11651
https://notcve.org/view.php?id=CVE-2019-11651
Reflected XSS on Micro Focus Enterprise Developer and Enterprise Server, all versions prior to version 3.0 Patch Update 20, version 4.0 Patch Update 12, and version 5.0 Patch Update 2. The vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests. Una vulnerabilidad de tipo XSS Reflejado en Micro Focus Enterprise Developer y Enterprise Server, todas las versiones anteriores a la versión 3.0 Patch Update 20, versión 4.0 Patch Update 12 y versión 5.0 Patch Update 2. La vulnerabilidad podría explotarse para redireccionar a un usuario hacia una página maliciosa o falsificar ciertos tipos de peticiones web. • https://softwaresupport.softwaregrp.com/doc/KM03532232 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •