CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3521 – luci: unauthorized administrative access granted to non-administrative users
https://notcve.org/view.php?id=CVE-2014-3521
The component in (1) /luci/homebase and (2) /luci/cluster menu in Red Hat Conga 0.12.2 allows remote authenticated users to bypass intended access restrictions via a crafted URL. El componente en (1) /luci/homebase y (2) /luci/cluster menu en Red Hat Conga 0.12.2 permite a usuarios remotos autenticados evadir las restricciones de acceso a través de una URL manipulada. It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data. • http://rhn.redhat.com/errata/RHSA-2014-1194.html https://bugzilla.redhat.com/show_bug.cgi?id=1112813 https://access.redhat.com/security/cve/CVE-2014-3521 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2013-6496 – conga: Multiple information leak flaws in various luci site extensions
https://notcve.org/view.php?id=CVE-2013-6496
Red Hat Conga 0.12.2 allows remote attackers to obtain sensitive information via a crafted request to the (1) homebase, (2) cluster, (3) storage, (4) portal_skins/custom, or (5) logs Luci extension. Red Hat Conga 0.12.2 permite a atacantes remotos obtener información sensible a través de una solicitud manipulada en la extensión (1) homebase, (2) cluster, (3) storage, (4) portal_skins/custom, o (5) logs Luci. Multiple information leak flaws were found in the way conga processed luci site extension-related URL requests. A remote, unauthenticated attacker could issue a specially crafted HTTP request that, when processed, would result in unauthorized information disclosure. • http://rhn.redhat.com/errata/RHSA-2014-1194.html https://bugzilla.redhat.com/show_bug.cgi?id=971541 https://access.redhat.com/security/cve/CVE-2013-6496 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •