CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55604 – Appsmith's Broken Access Control Allows Viewer Role User to Query Datasources
https://notcve.org/view.php?id=CVE-2024-55604
25 Mar 2025 — Appsmith is a platform to build admin panels, internal tools, and dashboards. Users invited as "App Viewer" should not have access to development information of a workspace. Datasources are such a component in a workspace. Yet, in versions of Appsmith prior to 1.51, app viewers are able to get a list of datasources in a workspace they're a member of. This information disclosure does NOT expose sensitive data in the datasources, such as database passwords and API Keys. • https://github.com/appsmithorg/appsmith/security/advisories/GHSA-794x-gm8v-2wj6 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 8.8EPSS: 6%CPEs: 1EXPL: 2CVE-2022-4096 – Server-Side Request Forgery (SSRF) in appsmithorg/appsmith
https://notcve.org/view.php?id=CVE-2022-4096
21 Nov 2022 — Server-Side Request Forgery (SSRF) in GitHub repository appsmithorg/appsmith prior to 1.8.2. Server-Side Request Forgery (SSRF) en el repositorio de GitHub appsmithorg/appsmith anterior a 1.8.2. • https://github.com/aminetitrofine/CVE-2022-4096 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38299
https://notcve.org/view.php?id=CVE-2022-38299
12 Sep 2022 — An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint. Un problema en el plugin de Elasticsearch de Appsmith versión v1.7.11, permite a atacantes conectar hosts no permitidos al endpoint de metadatos internos de AWS/GCP • https://github.com/appsmithorg/appsmith/pull/15834 •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38298
https://notcve.org/view.php?id=CVE-2022-38298
12 Sep 2022 — Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint. Se ha detectado que Appsmith versión v1.7.11, permite a atacantes ejecutar un ataque de tipo Server-Side Request Forgery (SSRF) autenticado por medio de un redireccionamiento de las peticiones entrantes al endpoint de metadatos internos de AWS • https://github.com/appsmithorg/appsmith/pull/15782 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39824
https://notcve.org/view.php?id=CVE-2022-39824
05 Sep 2022 — Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak. Una inyección de JavaScript del lado del servidor en Appsmith versiones hasta 1.7.14, permite a atacantes remotos ejecutar código JavaScript arbitrario desde el servidor por medio de la propiedad currentItem del widget de la lista, por ejemplo, para llevar a cabo a... • https://github.com/FCncdn/Appsmith-Js-Injection-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •