CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12908
https://notcve.org/view.php?id=CVE-2024-12908
26 Dec 2024 — Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and canonicalization, potentially leading to over matching against the approved list. If this attack were successfully exploited, a remote attacker may be able to convince a user to visit a malicious web-page, or open a malicious document which could trigger the vulnerable handler, allowing them to execute arbitrary code on the ... • https://blog.amberwolf.com/blog/2024/december/cve-2024-12908-delinea-protocol-handler---remote-code-execution-via-update-process • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33891
https://notcve.org/view.php?id=CVE-2024-33891
28 Apr 2024 — Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute. Delinea Secret Server anterior a 11.7.000001 permite a los atacantes eludir la autenticación a través de la API SOAP en SecretServer/webservices/SSWebService.asmx. Esto está relacionado con una clave codificada, el uso del número entero... • https://delinea.com/products/secret-server • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25653
https://notcve.org/view.php?id=CVE-2024-25653
14 Mar 2024 — Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. El control de acceso roto en la funcionalidad de informes de Delinea PAM Secret Server 11.4 permite a los usuarios sin privilegios, cuando el modo de administración ilimitado está habilitado, ver informes del sistema y modificar informes personalizados a través de la fu... • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25653 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25652
https://notcve.org/view.php?id=CVE-2024-25652
14 Mar 2024 — In Delinea PAM Secret Server 11.4, it is possible for a user (with access to the Report functionality) to gain unauthorized access to remote sessions created by legitimate users. En Delinea PAM Secret Server 11.4, es posible que un usuario (con acceso a la funcionalidad de Informe) obtenga acceso no autorizado a sesiones remotas creadas por usuarios legítimos. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25652 • CWE-863: Incorrect Authorization •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25649
https://notcve.org/view.php?id=CVE-2024-25649
14 Mar 2024 — In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authentication is enabled), the encryption key of RabbitMQ queue messages, and session cookies. En Delinea PAM Secret Server 11.4, es posible que un atacante (con acceso de administrador a la máquina del servidor secreto) lea los siguientes datos de un volcado de memoria: la cl... • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25649 • CWE-316: Cleartext Storage of Sensitive Information in Memory •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25651
https://notcve.org/view.php?id=CVE-2024-25651
14 Mar 2024 — User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. This allows a remote attacker to determine whether a user is valid because of a difference in responses from the /oauth2/token endpoint. La enumeración de usuarios puede ocurrir en la API REST de autenticación en Delinea PAM Secret Server 11.4. Esto permite a un atacante remoto determinar si un usuario es válido debido a una diferencia en las respuestas del endpoint /oauth2/token. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25651 • CWE-203: Observable Discrepancy •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4589 – Insufficient verification of data authenticity vulnerability in Delinea Secret Server
https://notcve.org/view.php?id=CVE-2023-4589
06 Sep 2023 — Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. An attacker with an administrator account could perform software updates without proper integrity verification mechanisms. In this scenario, the update process lacks digital signatures and fails to validate the integrity of the update package, allowing the attacker to inject malicious applications during the update. Vulnerabilidad de verificación insuficiente de autenticidad de datos en Deline... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4588 – File accessibility vulnerability in Delinea Secret Server
https://notcve.org/view.php?id=CVE-2023-4588
06 Sep 2023 — File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text. Vulner... • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server • CWE-552: Files or Directories Accessible to External Parties •