CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10295 – Gateway: apicast basic auth bypass via malformed base64 headerssending non-base64 'basic' auth with special characters causes apicast to incorrectly authenticate a request
https://notcve.org/view.php?id=CVE-2024-10295
24 Oct 2024 — A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream. • https://access.redhat.com/security/cve/CVE-2024-10295 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-9671 – System: pdf invoices of the developer users can be seen if the url is known
https://notcve.org/view.php?id=CVE-2024-9671
09 Oct 2024 — A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed. • https://access.redhat.com/security/cve/CVE-2024-9671 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0560 – Apicast: use_3scale_oidc_issuer_endpoint of token introspection policy isn't compatible with rh-sso 7.5 or later versions
https://notcve.org/view.php?id=CVE-2024-0560
28 Feb 2024 — A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid. Se encontró una vulnerabilidad en 3Scale, cuando se usa con Keycloak 15 (o RHSSO 7.5.0) y superiores. Cuando aut... • https://access.redhat.com/security/cve/CVE-2024-0560 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •