Page 50 of 372 results (0.012 seconds)

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. Posible path traversal en Apache OFBiz que permite omitir la autenticación. Se recomienda a los usuarios actualizar a la versión 18.12.12, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/02/28/10 https://issues.apache.org/jira/browse/OFBIZ-12887 https://lists.apache.org/thread/rplfjp7ppn9ro49oo7jsrpj99m113lfc https://ofbiz.apache.org/download.html https://ofbiz.apache.org/release-notes-18.12.12.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Users are recommended to upgrade to version 3.2.5 which fixes the issue, or mitigate the issue by disabling DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. This issue has been disclosed before as CVE-2018-1311, but unfortunately that advisory incorrectly stated the issue would be fixed in version 3.2.3 or 3.2.4. El analizador XML Apache Xerces C++ en las versiones 3.0.0 anteriores a la 3.2.5 contiene un error de use-after-free que se activa durante el escaneo de DTD externos. Se recomienda a los usuarios actualizar a la versión 3.2.5, que soluciona el problema, o mitigarlo desactivando el procesamiento de DTD. Esto se puede lograr a través del DOM usando una función de analizador estándar, o vía SAX usando la variable de entorno XERCES_DISABLE_DTD. • https://github.com/apache/xerces-c/pull/54 https://lists.apache.org/thread/c497tgn864tsbm8w0bo3f0d81s07zk9r • CWE-416: Use After Free •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue. • http://www.openwall.com/lists/oss-security/2024/02/28/7 https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s • CWE-863: Incorrect Authorization •

CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0

Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue. • http://www.openwall.com/lists/oss-security/2024/02/28/6 https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq • CWE-863: Incorrect Authorization •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue. • http://www.openwall.com/lists/oss-security/2024/02/28/5 https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5 • CWE-20: Improper Input Validation •