CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1049 – pcs: improper authentication via PAM
https://notcve.org/view.php?id=CVE-2022-1049
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. Se encontró un fallo en la herramienta de configuración de Pacemaker (pcs). El demonio pcs permitía que las cuentas caducadas y las cuentas con contraseñas caducadas iniciaran sesión cuando era usada la autenticación PAM. • https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html https://www.debian.org/security/2022/dsa-5226 https://access.redhat.com/security/cve/CVE-2022-1049 https://bugzilla.redhat.com/show_bug.cgi?id=2066629 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2661
https://notcve.org/view.php?id=CVE-2017-2661
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. ClusterLabs pcs, en versiones anteriores a la 0.9.157, es vulnerable a Cross-Site Scripting (XSS) debido a la validación incorrecta del campo Node name al crear un nuevo clúster o al añadir uno ya existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1428948 https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0720 – pcs: Cross-Site Request Forgery in web UI
https://notcve.org/view.php?id=CVE-2016-0720
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. Vulnerabilidad de CSRF en pcsd web UI en pcs en versiones anteriores a 0.9.149. A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.html http://rhn.redhat.com/errata/RHSA-2016-2596.html http://www.securityfocus.com/bid/97984 https://bugzilla.redhat.com/show_bug.cgi?id=1299614 https://github.com/ClusterLabs/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625 https://access.redhat.com/security/cve/CVE-2016-0720 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0721 – pcs: cookies are not invalidated upon logout
https://notcve.org/view.php?id=CVE-2016-0721
Session fixation vulnerability in pcsd in pcs before 0.9.157. Vulnerabilidad de fijación de sesión en pcsd en pcs en versiones anteriores a 0.9.157. It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.html http://rhn.redhat.com/errata/RHSA-2016-2596.html http://www.securityfocus.com/bid/97977 https://bugzilla.redhat.com/show_bug.cgi?id=1299615 https://github.com/ClusterLabs/pcs/commit/acdbbe8307e6f4a36b2c7754765e732e43fe8d17 https://github.com/ClusterLabs/pcs/commit/bc6ad9086857559db57f4e3e6de66762291c0774 https://github.com/ClusterLabs/pcs/commit/e9b28833d54a47ec441f6 • CWE-384: Session Fixation •