CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10318 – NGINX OpenID Connect Vulnerability
https://notcve.org/view.php?id=CVE-2024-10318
06 Nov 2024 — A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. • https://my.f5.com/manage/s/article/K000148232 • CWE-384: Session Fixation •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28724 – NGINX Management Suite vulnerability
https://notcve.org/view.php?id=CVE-2023-28724
03 May 2023 — NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133233 • CWE-276: Incorrect Default Permissions •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-28656 – NGINX Management Suite vulnerability
https://notcve.org/view.php?id=CVE-2023-28656
03 May 2023 — NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. • https://my.f5.com/manage/s/article/K000133417 • CWE-639: Authorization Bypass Through User-Controlled Key •