CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46502
https://notcve.org/view.php?id=CVE-2023-46502
An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. Un problema en openCRX v.5.2.2 permite a un atacante remoto leer archivos internos y ejecutar un ataque de server side request forgery a través de DocumentBuilderFactory inseguro. • https://gist.github.com/spookhorror/9519fc66d3946e887e4a86c06ddbee0e https://github.com/opencrx/opencrx/commit/ce7a71db0bb34ecbcb0e822d40598e410a48b399 • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40084
https://notcve.org/view.php?id=CVE-2022-40084
OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid. Se ha detectado que OpenCRX versiones anteriores a v5.2.2, es vulnerable a una enumeración de contraseñas debido a la diferencia en los mensajes de error recibidos durante el restablecimiento de la contraseña, lo que podría permitir a un atacante determinar si un nombre de usuario, correo electrónico o ID es válido • https://cwe.mitre.org/data/definitions/204.html#:~:text=User%20enumeration%20via%20discrepancies%20in%20error%20messages.%2C-CVE-2004-0294&text=Bulletin%20Board%20displays%20different%20error%2Cbrute%20force%20password%20guessing%20attack. https://github.com/ciph0x01/OpenCRX-CVE/blob/main/CVE-2022-40084.md • CWE-203: Observable Discrepancy •