CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0CVE-2023-5115 – Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
https://notcve.org/view.php?id=CVE-2023-5115
17 Oct 2023 — An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. Existe un ataque de path traversal absoluto en la plataforma de automatización Ansible. Esta falla permite a un atacante crear un rol de Ansible malicioso y hacer que la víctima ejecute el rol. • https://access.redhat.com/errata/RHSA-2023:5701 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 1CVE-2023-3971 – Controller: html injection in custom login info
https://notcve.org/view.php?id=CVE-2023-3971
01 Aug 2023 — An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise. Se encontró una falla de inyección de HTML en Controller en la configuración de la interfaz de usuario. Esta falla permite a un atacante capturar credenciales creando una página de inicio de sesión personalizada mediante la inyección de HTML, lo que resulta en un compromiso total. Red Hat Ansi... • https://github.com/ashangp923/CVE-2023-3971 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •