CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2023-6841 – Keycloak: amount of attributes per object is not limited and it may lead to dos
https://notcve.org/view.php?id=CVE-2023-6841
10 Sep 2024 — A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. • https://access.redhat.com/security/cve/CVE-2023-6841 • CWE-231: Improper Handling of Extra Values •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1723
https://notcve.org/view.php?id=CVE-2020-1723
28 Jan 2021 — A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1, 7.0.0 Se ha encontrado un fallo en Keycloak Gatekeeper (Louketo). El punto final de cierre de sesión puede ser abusado para redireccionar a los usuarios conectados a páginas web arbitrarias. Versiones afectadas de Keycloak Gatekeeper (Louketo): 6.0.1, 7.0.0 • https://bugzilla.redhat.com/show_bug.cgi?id=1770276 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 218EXPL: 7CVE-2019-11358 – jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
https://notcve.org/view.php?id=CVE-2019-11358
19 Apr 2019 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. jQuery, en versiones anteriores a 3.4.0, como es usado en Drupal, Backdrop CMS, y otros productos, maneja mal jQuery.extend(true, {}, ...) debido a la contaminación de Object.prototype. Si un objeto fuente no sanitizado contenía una propi... • https://github.com/isacaya/CVE-2019-11358 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5248
https://notcve.org/view.php?id=CVE-2015-5248
20 Sep 2017 — Reflected file download vulnerability in Red Hat Feedhenry Enterprise Mobile Application Platform. Existe una vulnerabilidad de descarga de archivos reflejada en Red Hat Feedhenry Enterprise Mobile Application Platform • https://bugzilla.redhat.com/show_bug.cgi?id=1272326 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7552 – RHMAP Millicore IDE allows RCE on SCM
https://notcve.org/view.php?id=CVE-2017-7552
18 Sep 2017 — A flaw was discovered in the file editor of millicore, affecting versions before 3.19.0 and 4.x before 4.5.0, which allows files to be executed as well as created. An attacker could use this flaw to compromise other users or teams projects stored in source control management of the RHMAP Core installation. Se ha descubierto una vulnerabilidad en el editor de archivos de milicore que afecta a las versiones anteriores a la 3.19.0 y a las versiones 4.x anteriores a la 4.5.0, lo que permite que los archivos se ... • https://access.redhat.com/errata/RHSA-2017:2674 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7553 – RHMAP: SSRF via external_request feature of App Studio
https://notcve.org/view.php?id=CVE-2017-7553
18 Sep 2017 — The external_request api call in App Studio (millicore) allows server side request forgery (SSRF). An attacker could use this flaw to probe the network internal resources, and access restricted endpoints. La llamada api external_request en App Studio (millicore) permite que se realicen ataques de tipo Server Side Request Forgery (SSRF). Un atacante podría aprovechar este fallo para sondear los recursos internos de la red y acceder a puntos de conexión restringidos. The external_request api call in App Studi... • https://access.redhat.com/errata/RHSA-2017:2674 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7554 – RHMAP: Stored XSS in App Store
https://notcve.org/view.php?id=CVE-2017-7554
18 Sep 2017 — It was found that the App Studio component of RHMAP 4.4 executes javascript provided by a user. An attacker could use this flaw to execute a stored XSS attack on an application administrator using App Studio. Se ha descubierto que el componente App Studio de RHMAP 4.4 ejecuta código JavaScript proporcionado por el usuario. Un atacante podría aprovechar este fallo para ejecutar un ataque de Cross-Site Scripting (XSS) persistente en un administrador de aplicaciones que emplee App Studio. A flaw was found wher... • https://access.redhat.com/errata/RHSA-2017:2674 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 174EXPL: 2CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
17 Apr 2017 — In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se des... • https://github.com/pimps/CVE-2017-5645 • CWE-502: Deserialization of Untrusted Data •