CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45824 – OroPlatform's pinned entity creation form shows pages of other users
https://notcve.org/view.php?id=CVE-2023-45824
25 Mar 2024 — OroPlatform is a PHP Business Application Platform (BAP). A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4. OroPlatform es una plataforma de aplicaciones empresariales (BAP) PHP. Un usuario que ha iniciado sesión puede acceder a los datos del estado de la página de las páginas fijadas de otros usuarios mediante el hash de ID de página. • https://github.com/oroinc/platform/commit/cf94df7595afca052796e26b299d2ce031e289cd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5964 – 1E-Exchange-DisplayMessage instruction allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-5964
06 Nov 2023 — The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it w... • https://exchange.1e.com/product-packs/end-user-interaction • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45163 – 1E-Exchange-CommandLinePing instruction before v18.1 allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45163
06 Nov 2023 — The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruct... • https://https://exchange.1e.com/product-packs/network • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45161 – 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45161
06 Nov 2023 — The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instructio... • https://exchange.1e.com/product-packs/network • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-27225
https://notcve.org/view.php?id=CVE-2020-27225
09 Mar 2021 — In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process. En las versiones 4.18 y anteriores de la Eclipse Platform, el Subsistema de Ayuda no autentica unas peticiones de ayuda activas en el servidor web de ayuda local, permitiendo a un atacante local no autenticado... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-16374
https://notcve.org/view.php?id=CVE-2019-16374
13 Aug 2020 — Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control. Pega Platform versión 8.2.1, permite una inyección de LDAP porque un nombre de usuario puede contener un carácter * y puede ser de una longitud ilimitada. Un atacante puede especificar cuatro caracteres de un nombre de usuario, seguidos del carácter *, para omitir el control de acce... • https://community.pega.com/upgrade •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8775
https://notcve.org/view.php?id=CVE-2020-8775
29 Apr 2020 — Pega Platform before version 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the comment tags. Pega Platform versiones anteriores a 8.2.6, está afectada por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado en las etiquetas de comentarios. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8773
https://notcve.org/view.php?id=CVE-2020-8773
29 Apr 2020 — The Richtext Editor in Pega Platform before 8.2.6 is affected by a Stored Cross-Site Scripting (XSS) vulnerability. El Richtext Editor en Pega Platform versiones anteriores a 8.2.6, está afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado. • https://community.pega.com/knowledgebase/products/platform/resolved-issues?q=issue%20529706&f%5B0%5D=version%3A32536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •