CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12908
https://notcve.org/view.php?id=CVE-2024-12908
26 Dec 2024 — Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and canonicalization, potentially leading to over matching against the approved list. If this attack were successfully exploited, a remote attacker may be able to convince a user to visit a malicious web-page, or open a malicious document which could trigger the vulnerable handler, allowing them to execute arbitrary code on the ... • https://blog.amberwolf.com/blog/2024/december/cve-2024-12908-delinea-protocol-handler---remote-code-execution-via-update-process • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52926
https://notcve.org/view.php?id=CVE-2024-52926
18 Nov 2024 — Delinea Privilege Manager before 12.0.2 mishandles the security of the Windows agent. • https://docs.delinea.com/online-help/privilege-manager/release-notes/12.0.2-combined.htm • CWE-269: Improper Privilege Management CWE-276: Incorrect Default Permissions •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5866 – Arbitrary Directory Listing in Centrify PAS
https://notcve.org/view.php?id=CVE-2024-5866
02 Jul 2024 — Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing listing of arbitrary directory outside the root directory of the web application. Versions 23.1-HF7 and on have the patch. • https://github.com/klsecservices/Advisories/blob/master/K-Delinea-2023-002.md • CWE-26: Path Traversal: '/dir/../filename' •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5865 – Arbitrary File Reading in Centrify PAS
https://notcve.org/view.php?id=CVE-2024-5865
02 Jul 2024 — Vulnerability in Delinea Centrify PAS v. 21.3 and possibly others. The application is prone to the path traversal vulnerability allowing arbitrary files reading outside the web publish directory. Versions 23.1-HF7 and on have the patch. • https://github.com/klsecservices/Advisories/blob/master/K-Delinea-2023-001.md • CWE-26: Path Traversal: '/dir/../filename' •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33891
https://notcve.org/view.php?id=CVE-2024-33891
28 Apr 2024 — Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute. Delinea Secret Server anterior a 11.7.000001 permite a los atacantes eludir la autenticación a través de la API SOAP en SecretServer/webservices/SSWebService.asmx. Esto está relacionado con una clave codificada, el uso del número entero... • https://delinea.com/products/secret-server • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25653
https://notcve.org/view.php?id=CVE-2024-25653
14 Mar 2024 — Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. El control de acceso roto en la funcionalidad de informes de Delinea PAM Secret Server 11.4 permite a los usuarios sin privilegios, cuando el modo de administración ilimitado está habilitado, ver informes del sistema y modificar informes personalizados a través de la fu... • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25653 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25652
https://notcve.org/view.php?id=CVE-2024-25652
14 Mar 2024 — In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users. En Delinea PAM Secret Server 11.4, es posible que un usuario (con acceso a la funcionalidad de Informe) obtenga acceso no autorizado a sesiones remotas creadas por usuarios legítimos. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25652 • CWE-863: Incorrect Authorization •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25649
https://notcve.org/view.php?id=CVE-2024-25649
14 Mar 2024 — In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies. En Delinea PAM Secret Server 11.4, es posible que un atacante (con acceso de administrador a la máquina del servidor secreto) lea los siguientes datos de un volcado de memoria: la cl... • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25649 • CWE-316: Cleartext Storage of Sensitive Information in Memory •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25651
https://notcve.org/view.php?id=CVE-2024-25651
14 Mar 2024 — User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint. La enumeración de usuarios puede ocurrir en la API REST de autenticación en Delinea PAM Secret Server 11.4. Esto permite a un atacante remoto determinar si un usuario es válido debido a una diferencia en las respuestas del endpoint /oauth2/token. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25651 • CWE-203: Observable Discrepancy •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4589 – Insufficient verification of data authenticity vulnerability in Delinea Secret Server
https://notcve.org/view.php?id=CVE-2023-4589
06 Sep 2023 — Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update. Vulnerabilidad de verificación insuficiente de autenticidad de datos en Deline... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server • CWE-345: Insufficient Verification of Data Authenticity •