CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
01 Aug 2024 — Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40171 – Dispatch writes JWT tokens in error message
https://notcve.org/view.php?id=CVE-2023-40171
17 Aug 2023 — Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could b... • https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9299
https://notcve.org/view.php?id=CVE-2020-9299
09 Nov 2020 — There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user. Se detectaron y reportaron vulnerabilidades de tipo XSS en la aplicación Dispatch, que afectaron los parámetros name y description de Incident Priority, Incident Type, Tag Type, e Incident Filter. Esta vulnerabilidad puede ser explotada por un usuario... • https://github.com/Netflix/dispatch/releases/tag/v20201106 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9300
https://notcve.org/view.php?id=CVE-2020-9300
09 Nov 2020 — The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user. Los problemas de Control de Acceso incluyen permitir a un usuario normal visualizar un incidente restringido, ... • https://github.com/Netflix/dispatch/releases/tag/v20201106 •