Fleet Server Security Vulnerabilities
It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to.....
7.5CVSS
7.5AI Score
0.001EPSS
An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Serverโs log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retrieve other secret...
8.1CVSS
7.9AI Score
0.001EPSS
Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the...
2.7CVSS
4AI Score
0.001EPSS
Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any...
8.8CVSS
8.7AI Score
0.01EPSS
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be...
6.1CVSS
6.3AI Score
0.007EPSS
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog...