CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18327
https://notcve.org/view.php?id=CVE-2020-18327
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2 Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Alfresco Community Edition versión v5.2.0, por medio del parámetro action en la API alfresco/s/admin/admin-nodebrowser. Corregido en versión v6.2 • https://gist.github.com/paatui/a3c7ca8cf12594b437d3854f13d76cb8 https://www.cvedetails.com/vulnerability-list/vendor_id-13372/product_id-27784/opxss-1/Alfresco-Alfresco.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-41792
https://notcve.org/view.php?id=CVE-2021-41792
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request is not available to the attacker, i.e., this is blind SSRF. Se ha detectado un problema en Hyland org.alfresco:alfresco-content-services versiones hasta 6.2.2.18 y org.alfresco:alfresco-transform-services versiones hasta 1.3. Un archivo HTML diseñado, una vez cargado, podría desencadenar una petición inesperada por parte del motor de transformación. • https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md https://www.themissinglink.com.au • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2021-41791
https://notcve.org/view.php?id=CVE-2021-41791
An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features). Se ha detectado un problema en Hyland org.alfresco:share versiones hasta 7.0.0.2 y org.alfresco:community-share versiones hasta 7.0. Una omisión del filtro de tipo XSS para la comprobación de entradas HTML en la Interfaz de Usuario de Alfresco Share conlleva a un ataque de tipo XSS almacenado que podría ser explotado por un atacante (dado que presenta privilegios en las funcionalidades content collaboration) • https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md https://www.themissinglink.com.au • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-41790
https://notcve.org/view.php?id=CVE-2021-41790
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment. Se ha detectado un problema en Hyland org.alfresco:alfresco-content-services versiones hasta 7.0.1.2. La ejecución de acciones de script permite ejecutar scripts cargados fuera del diccionario de datos. • https://github.com/Alfresco/acs-packaging/blob/master/DISCLOSURES.md https://www.themissinglink.com.au •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15181 – Admin account takeover in Alfresco Reset Password
https://notcve.org/view.php?id=CVE-2020-15181
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0 El add-on Alfresco Reset Password versiones anteriores a 1.2.0, se basa en entradas no confiables en una decisión de seguridad. Los intrusos pueden conseguir acceso de administrador al sistema usando la vulnerabilidad en el proyecto. • https://github.com/FlexSolution/AlfrescoResetPassword/commit/5927b9651356c4cd952cb9b485292583d305b47c https://github.com/FlexSolution/AlfrescoResetPassword/security/advisories/GHSA-xrc8-fjp4-h4fv • CWE-20: Improper Input Validation CWE-284: Improper Access Control •