5 results (0.009 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159. Appwrite &lt;= v1.4.13 se ve afectada por Server-Side Request Forgery (SSRF) a través del endpoint '/v1/avatars/favicon' debido a una solución incompleta de CVE-2023-27159. • https://www.tenable.com/security/research/tra-2024-03 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials. En Appwrite CLI anterior a 3.0.0, cuando se utiliza el comando de inicio de sesión, las credenciales del usuario de Appwrite se almacenan en un archivo ~/.appwrite/prefs.json con 0644 como permisos UNIX. Cualquier usuario del sistema local puede acceder a esas credenciales. • https://appwrite.io/docs/tooling/command-line/installation https://gist.github.com/SkypLabs/72ee00ecfa7d1a3494e2d69a24279c1d • CWE-798: Use of Hard-coded Credentials •

CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3

Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request. • http://appwrite.com https://gist.github.com/b33t1e/43b26c31e895baf7e7aea2dbf9743a9a https://gist.github.com/b33t1e/e9e8192317c111e7897e04d2f9bf5fdb https://github.com/appwrite/appwrite https://notes.sjtu.edu.cn/gMNlpByZSDiwrl9uZyHTKA • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1

Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio GitHub appwrite/appwrite versiones anteriores a 1.0.0-RC1 • https://github.com/appwrite/appwrite/commit/b5b4d92623c13fa8e5c71736db461e81fb7a7ade https://huntr.dev/bounties/a3b4148f-165f-4583-abed-5568696d99dc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 2

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. Esto afecta al paquete litespeed.js versiones anteriores a 0.3.12; al paquete appwrite/server-ce desde versión 0.12.0 y anteriores a 0.12.2, anteriores a 0.11.1. Cuando es analizada la cadena de consulta en la función getJsonFromUrl, la clave que es establecida en el objeto resultante no es saneada apropiadamente, conllevando a una vulnerabilidad de Contaminación de Prototipos • https://github.com/appwrite/appwrite/pull/2778 https://github.com/appwrite/appwrite/releases/tag/0.11.1 https://github.com/appwrite/appwrite/releases/tag/0.12.2 https://github.com/litespeed-js/litespeed.js/pull/18 https://snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250 https://snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •