CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1049 – pcs: improper authentication via PAM
https://notcve.org/view.php?id=CVE-2022-1049
25 Mar 2022 — A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. Se encontró un fallo en la herramienta de configuración de Pacemaker (pcs). El demonio pcs permitía que las cuentas caducadas y las cuentas con contraseñas caducadas iniciaran sesión cuando era usada la autenticación PAM. • https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2661
https://notcve.org/view.php?id=CVE-2017-2661
12 Mar 2018 — ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. ClusterLabs pcs, en versiones anteriores a la 0.9.157, es vulnerable a Cross-Site Scripting (XSS) debido a la validación incorrecta del campo Node name al crear un nuevo clúster o al añadir uno ya existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1428948 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0720 – pcs: Cross-Site Request Forgery in web UI
https://notcve.org/view.php?id=CVE-2016-0720
04 Nov 2016 — Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. Vulnerabilidad de CSRF en pcsd web UI en pcs en versiones anteriores a 0.9.149. A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. The pcs packages provide a co... • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0721 – pcs: cookies are not invalidated upon logout
https://notcve.org/view.php?id=CVE-2016-0721
04 Nov 2016 — Session fixation vulnerability in pcsd in pcs before 0.9.157. Vulnerabilidad de fijación de sesión en pcsd en pcs en versiones anteriores a 0.9.157. It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html • CWE-384: Session Fixation •