CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2025-27364
https://notcve.org/view.php?id=CVE-2025-27364
24 Feb 2025 — In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands. • https://github.com/mitre/caldera/commit/35bc06e42e19fe7efbc008999b9f993b1b7109c0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22856
https://notcve.org/view.php?id=CVE-2024-22856
22 Apr 2024 — A SQL injection vulnerability via the Save Favorite Search function in Axefinance Axe Credit Portal >= v.3.0 allows authenticated attackers to execute unintended queries and disclose sensitive information from DB tables via crafted requests. Una vulnerabilidad de inyección SQL a través de la función Guardar búsqueda favorita en Axefinance Ax Credit Portal >= v.3.0 permite a atacantes autenticados ejecutar consultas no deseadas y revelar información confidencial de tablas de base de datos a través de soli... • https://www.4rth4s.xyz/2024/04/cve-2024-22856-authenticated-blind-sql.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-51792 – Ubuntu Security Notice USN-6764-1
https://notcve.org/view.php?id=CVE-2023-51792
19 Apr 2024 — Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000. La vulnerabilidad de desbordamiento de búfer en libde265 v1.0.12 permite que un atacante local provoque una denegación de servicio a través de un tamaño de asignación que excede el tamaño máximo admitido de 0x10000000000. It was discovered that libde265 could be made to allocate memory that exceeds the maximum supported size. If... • https://github.com/strukturag/libde265 • CWE-121: Stack-based Buffer Overflow •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40605
https://notcve.org/view.php?id=CVE-2022-40605
17 Oct 2022 — MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606. MITRE CALDERA versiones anteriores a 4.1.0, permite un ataque de tipo XSS en la pestaña Operations y/o en el plugin Debrief por medio de un nombre de operación diseñado, una vulnerabilidad diferente a la de CVE-2022-40606 • https://github.com/mitre/caldera/releases/tag/4.1.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40606
https://notcve.org/view.php?id=CVE-2022-40606
17 Oct 2022 — MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605. MITRE CALDERA versiones anteriores a 4.1.0, permite un ataque de tipo XSS en la pestaña Operations y/o en el plugin Debrief por medio de un nombre de operación diseñado, una vulnerabilidad diferente a la de CVE-2022-40605 • https://github.com/mitre/caldera/releases/tag/4.1.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41139
https://notcve.org/view.php?id=CVE-2022-41139
17 Oct 2022 — MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents. MITRE CALDERA versión 4.1.0 permite un ataque de tipo XSS almacenado por medio de app.contact.gist (también se conoce como el campo de configuración de contactos gist), conllevando a una ejecución de comandos arbitrarios en los agentes • https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-7344-4pg9-qf45 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31004 – Potential secrets being logged to disk in CVE Services
https://notcve.org/view.php?id=CVE-2022-31004
25 May 2022 — CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch. • https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83 • CWE-312: Cleartext Storage of Sensitive Information CWE-779: Logging of Excessive Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-46561
https://notcve.org/view.php?id=CVE-2021-46561
26 Jan 2022 — controller/org.controller/org.controller.js in the CVE Services API 1.1.1 before 5c50baf3bda28133a3bc90b854765a64fb538304 allows an organizational administrator to transfer a user account to an arbitrary new organization, and thereby achieve unintended access within the context of that new organization. El archivo controller/org.controller/org.controller.js en la API de servicios de CVE versiones 1.1.1 anteriores a 5c50baf3bda28133a3bc90b854765a64fb538304, permite a un administrador de la organización trans... • https://github.com/CVEProject/cve-services/commit/5c50baf3bda28133a3bc90b854765a64fb538304 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 2CVE-2021-42559
https://notcve.org/view.php?id=CVE-2021-42559
12 Jan 2022 — An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted. Se ha detectado un problema en CALDERA versión 2.8.1. Contiene múltiples "requirements" de inicio que ejecutan comandos cuando es iniciado el servidor. • https://github.com/mbadanoiu/CVE-2021-42559 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2021-42558
https://notcve.org/view.php?id=CVE-2021-42558
12 Jan 2022 — An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers. Se ha detectado un problema en CALDERA versión 2.8.1. Contiene múltiples vulnerabilidades de tipo XSS reflejadas, almacenadas y propias que pueden ser explotadas por atacantes autenticados y no autenticados • https://github.com/mbadanoiu/CVE-2021-42558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •