CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53709 – Access control issues impacting secure-upload service
https://notcve.org/view.php?id=CVE-2025-53709
10 Jul 2025 — Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments. Under specific circumstances, privileged users of secure-upload could have selected email templates not necessarily created for their enrollment when sending data upload requests. Authenticated and privileged users of one enrollment could have abused an endpoint to redirect existing submission channels to a dataset they control. An ... • https://cwe.mitre.org/data/definitions/285.html • CWE-285: Improper Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49589 – Foundry artifacts denial of service
https://notcve.org/view.php?id=CVE-2024-49589
18 Feb 2025 — Foundry Artifacts was found to be vulnerable to a Denial Of Service attack due to disk being potentially filled up based on an user supplied argument (size). • https://palantir.safebase.us/?tcuUid=ad6b08b1-2f79-4e32-b125-406dd2b9b1c3 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49581 – Access control issue impacting RV backed objects
https://notcve.org/view.php?id=CVE-2024-49581
02 Dec 2024 — Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available across organizational boundaries nor did it allow for data to be viewed or accessed by unauthenticated users. The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.... • https://palantir.safebase.us/?tcuUid=b60db1ee-4b1a-475d-848e-c5a670a0da16 • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-49588 – Multiple authenticated SQL injections in oracle-sidecar
https://notcve.org/view.php?id=CVE-2024-49588
21 Nov 2024 — Multiple endpoints in `oracle-sidecar` in versions 0.347.0 to 0.543.0 were found to be vulnerable to SQL injections. • https://cwe.mitre.org/data/definitions/89.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-30970 – Gotham table and Forward App Path traversal
https://notcve.org/view.php?id=CVE-2023-30970
29 Jan 2024 — Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system. Se descubrió que el servicio Gotham Table y Forward App eran vulnerables a un problema de path traversal que permitía a un usuario autenticado leer archivos arbitrarios en el sistema de archivos. • https://palantir.safebase.us/?tcuUid=69be99ef-ad24-4339-9017-c8bf70789c72 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30954 – Gotham Video Broken Authentication
https://notcve.org/view.php?id=CVE-2023-30954
15 Nov 2023 — The Gotham video-application-server service contained a race condition which would cause it to not apply certain acls new videos if the source system had not yet initialized. El servicio del servidor de aplicaciones de vídeo de Gotham contenía una condición de ejecución que provocaría que no aplicara ciertas ACL a nuevos vídeos si el sistema fuente aún no se había inicializado. • https://palantir.safebase.us/?tcuUid=d2366a3e-a92c-476e-8a7a-7db60e4be567 • CWE-285: Improper Authorization CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30967 – Gotham Orbital Simulator path traversal
https://notcve.org/view.php?id=CVE-2023-30967
25 Oct 2023 — Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system. Se descubrió que el servicio Gotham Orbital-Simulator anterior a 0.692.0 era vulnerable a un problema de Path Traversal que permitía a un usuario no autenticado leer archivos arbitrarios en el sistema de archivos. • https://palantir.safebase.us/?tcuUid=8fd5809f-26f8-406e-b36f-4a6596a19d79 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-287: Improper Authentication •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30969 – Palantir Tiles missing authentication on API endpoints
https://notcve.org/view.php?id=CVE-2023-30969
25 Oct 2023 — The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints. Se descubrió que el servicio Palantir Tiles1 era vulnerable a un problema en toda la API en el que el servicio no realizaba autenticación/autorización en todos los endpoints. • https://palantir.safebase.us/?tcuUid=afcbc9b2-de62-44b9-b28b-2ebf0684fbf7 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30961 – Palantir Gotham UI bug that could lead to incorrect data classification
https://notcve.org/view.php?id=CVE-2023-30961
26 Sep 2023 — Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link. Se descubrió que Palantir Gotham era vulnerable a un error en el que, en determinadas circunstancias, la interfaz podría haber aplicado una clasificación incorrecta a una propiedad o enlace recién creado. • https://palantir.safebase.us/?tcuUid=2755c49f-2c30-459e-8bdf-f95ef3692da4 • CWE-710: Improper Adherence to Coding Standards CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30959 – Stored XSS via javascript URI in Apollo Change Requests comment
https://notcve.org/view.php?id=CVE-2023-30959
26 Sep 2023 — In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction. En las solicitudes de cambio de Apollo, los comentarios agregados por los usuarios pueden contener un enlace URI de JavaScript que, cuando se procesa, dará como resultado un XSS que requiere la interacción del usuario. • https://palantir.safebase.us/?tcuUid=4c257f07-58af-4532-892a-bdbe8ab3ec63 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page •