CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25377
https://notcve.org/view.php?id=CVE-2022-25377
22 Feb 2024 — The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on disk. (This pathname is automatically created if the user chooses to install Let's Encrypt certificates via Appwrite.) El endpoint del desafío ACME en Appwrite v0.5.0 hasta v0.12.x anterior a v0.12.2 permite a atacantes remotos leer archivos locales de su elecc... • https://dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1063
https://notcve.org/view.php?id=CVE-2024-1063
30 Jan 2024 — Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159. Appwrite <= v1.4.13 se ve afectada por Server-Side Request Forgery (SSRF) a través del endpoint '/v1/avatars/favicon' debido a una solución incompleta de CVE-2023-27159. • https://www.tenable.com/security/research/tra-2024-03 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50974
https://notcve.org/view.php?id=CVE-2023-50974
09 Jan 2024 — In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials. En Appwrite CLI anterior a 3.0.0, cuando se utiliza el comando de inicio de sesión, las credenciales del usuario de Appwrite se almacenan en un archivo ~/.appwrite/prefs.json con 0644 como permisos UNIX. Cualquier usuario del sistema local puede acceder a esas credenciales. • https://appwrite.io/docs/tooling/command-line/installation • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 77%CPEs: 1EXPL: 3CVE-2023-27159
https://notcve.org/view.php?id=CVE-2023-27159
31 Mar 2023 — Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request. • http://appwrite.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2925 – Cross-site Scripting (XSS) - Stored in appwrite/appwrite
https://notcve.org/view.php?id=CVE-2022-2925
09 Sep 2022 — Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio GitHub appwrite/appwrite versiones anteriores a 1.0.0-RC1 • https://github.com/appwrite/appwrite/commit/b5b4d92623c13fa8e5c71736db461e81fb7a7ade • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 3EXPL: 2CVE-2021-23682 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23682
16 Feb 2022 — This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability. Esto afecta al paquete litespeed.js versiones anteriores a 0.3.12; al paquete appwrite/server-ce desde versión 0.12.0 y anteriores a 0.12.2, anteriores a 0.11.1. Cuando es analizada la cadena de consulta e... • https://github.com/appwrite/appwrite/pull/2778 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •