CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25294 – Envoy Gateway Log Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-25294
06 Mar 2025 — Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable to log injection attacks. If the attacker uses a specially crafted user-agent which performs json injection, then he could add and overwrite fields to the access log. This vulnerability is fixed in 1.3.1 and 1.2.7. • https://github.com/envoyproxy/gateway/commit/8f48f5199cf1bbb9a8ac0695c5171bfef6c9198a • CWE-117: Improper Output Neutralization for Logs •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52528 – Auth Token can be passed dummy or wrong the middleware response is 200 OK
https://notcve.org/view.php?id=CVE-2024-52528
15 Nov 2024 — Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget Control. Budget Control Gateway does not properly validate auth tokens, which allows attackers to bypass intended restrictions. This vulnerability is fixed in 1.5.2. • https://github.com/BudgetControl/Gateway/security/advisories/GHSA-jqx6-gm7f-vp7m • CWE-285: Improper Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-18177
https://notcve.org/view.php?id=CVE-2019-18177
26 Dec 2022 — In certain Citrix products, information disclosure can be achieved by an authenticated VPN user when there is a configured SSL VPN endpoint. This affects Citrix ADC and Citrix Gateway 13.0-58.30 and later releases before the CTX276688 update. En ciertos productos Citrix, un usuario de VPN autenticado puede lograr la divulgación de información cuando hay un endpoint de VPN SSL configurado. Esto afecta a Citrix ADC y Citrix Gateway 13.0-58.30 y versiones posteriores antes de la actualización CTX276688. • https://support.citrix.com/article/CTX276688/citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance-security-update •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38368
https://notcve.org/view.php?id=CVE-2022-38368
15 Aug 2022 — An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands. Se ha detectado un problema en Aviatrix Gateway versiones anteriores a 6.6.5712 y 6.7.x anteriores a 6.7.1376. Debido a que las funciones de la API de Gateway manejan inapropiadamente la autenticación, un usuario de VPN autenticado puede inyectar comandos arbitrarios. • https://docs.aviatrix.com/HowTos/PSIRT_Advisories.html#aviatrix-controller-and-gateways-unauthorized-access • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0CVE-2022-30792 – CODESYS: CmpChannelServer, CmpChannelServerEmbedded allow unauthenticated attackers to block all their available communication channels
https://notcve.org/view.php?id=CVE-2022-30792
11 Jul 2022 — In CmpChannelServer of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new communication channel connections. Existing connections are not affected. En CmpChannelServer de CODESYS versión V3 en múltiples versiones un consumo no controlado de recursos permite a un atacante no autorizado bloquear nuevas conexiones de canales de comunicación. Las conexiones existentes no están afectadas • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17128&token=bee4d8a57f19be289d623ec90135493b5f9179e3&download= • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 0CVE-2022-30791 – CODESYS V3: CmpBlkDrvTcp allows unauthenticated attackers to block all its available TCP connections
https://notcve.org/view.php?id=CVE-2022-30791
11 Jul 2022 — In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected. En CmpBlkDrvTcp de CODESYS versión V3 en múltiples versiones un consumo no controlado de recursos permite a un atacante no autorizado bloquear nuevas conexiones TCP. Las conexiones existentes no están afectadas • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17128&token=bee4d8a57f19be289d623ec90135493b5f9179e3&download= • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-31805 – Insecure transmission of credentials
https://notcve.org/view.php?id=CVE-2022-31805
24 Jun 2022 — In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected. En CODESYS Development System, varios componentes en diversos versiones transmiten las contraseñas para la comunicación entre clientes y servidores sin protección • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17140&token=6aa2c5c4a8b83b8b09936fefed5b0b11f9d2cc6c&download= • CWE-523: Unprotected Transport of Credentials •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-22517 – Communication Components in multiple CODESYS products vulnerable to communication channel disruption
https://notcve.org/view.php?id=CVE-2022-22517
07 Apr 2022 — An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed. Un atacante remoto no autenticado puede interrumpir los canales de comunicación presentes entre los productos CODESYS al adivinar un ID de canal válido e inyectando paquetes. Esto hace que el canal de comunicación sea cerrado • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17091&token=c450f8bbbd838c647d102f359356386c6ea5aeca&download= • CWE-330: Use of Insufficiently Random Values CWE-334: Small Space of Random Values •
CVSS: 7.1EPSS: 0%CPEs: 21EXPL: 0CVE-2022-22514 – Untrusted Pointer Dereference in multiple CODESYS products can lead to a DoS.
https://notcve.org/view.php?id=CVE-2022-22514
07 Apr 2022 — An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash. Un atacante remoto autentificado puede obtener acceso a un puntero desreferenciado contenido en una solicitud. Los accesos pueden llevar posteriormente a la sobreescri... • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17093&token=15cd8424832ea10dcd4873a409a09a539ee381ca&download= • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 21EXPL: 0CVE-2022-22513 – Null Pointer Dereference in multiple CODESYS products can lead to a DoS.
https://notcve.org/view.php?id=CVE-2022-22513
07 Apr 2022 — An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash. Un atacante remoto autenticado puede causar una desreferencia de puntero null en el componente CmpSettings de los productos CODESYS afectados, lo que conlleva a un bloqueo • https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17093&token=15cd8424832ea10dcd4873a409a09a539ee381ca&download= • CWE-476: NULL Pointer Dereference •