758 matches found
CVE-2024-0252 Remote code execution
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability...
ZOHO ManageEngine ADSelfService Plus Security Vulnerability
ZOHO ManageEngine ADSelfService Plus is ZOHO's integrated self-service password management and single sign-on solution for Active Directory and cloud applications. A security vulnerability exists in ZOHO ManageEngine ADSelfService Plus 6401 and prior versions, which stems from a remote code...
The vulnerability of the PowerStation network load balancing system, related to insufficient protection of operational data, allows a intruder to gain unauthorized access to protected information, execute arbitrary code, or cause a service failure.
The vulnerability of the PowerStation network load balancing system is related to the lack of authentication for critical functions, resulting from insufficient protection of operational data. Exploiting this vulnerability can allow a malicious actor to gain unauthorized access to protected...
CVE-2023-47106
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path...
Improper access control
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path...
CVE-2023-47633
CVE-2023-47633 affects the Traefik Docker image when it serves as its own backend, triggered by an automatically generated route from Docker integration in default configuration. The issue causes 100% CPU usage, leading to a denial of service-like impact on the affected instance. The vulnerabilit...
CVE-2023-47633 Uncontrolled Resource Consumption in Traefik
Traefik is an open source HTTP reverse proxy and load balancer. The traefik docker container uses 100% CPU when it serves as its own backend, which is an automatically generated route resulting from the Docker integration in the default configuration. This issue has been addressed in versions...
CVE-2023-47106
Traefik vulnerability CVE-2023-47106: when a request contains a URL fragment, Traefik URL-encodes and forwards the fragment to the backend, violating RFC 7230 (origin-form should only have path and query). In a setup with a frontend proxy like Nginx, this can bypass URI-based access controls. Add...
CVE-2023-47106 Incorrect processing of fragment in the URL leads to Authorization Bypass in Traefik
Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path...
CVE-2023-47124
CVE-2023-47124 describes a DoS vector in Traefik when using HTTPChallenge to obtain/renew Let’s Encrypt TLS certificates: the 50-second delay allowed solving the challenge can be abused for a slowloris-style attack. Public details in the initial document specify impacts as a server availability r...
Virtuozzo Hybrid Infrastructure 6.0 (6.0.0-243)
In this release, Virtuozzo Hybrid Infrastructure provides an upgrade of the Linux distribution, kernel, and toolset packages. This release also contains a range of new features that cover storage performance, object storage, as well as monitoring and alerts. Additionally, this release delivers...
Authorization
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and...
CVE-2023-47112 Authenticated users can view job names and groups they do not have authorization to view in Rundeck
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and...
Authenticated Rundeck users can view or delete jobs they do not have authorization for.
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - https://host/context/rdJob/ -...
GHSA-PHMW-JX86-X666 Authenticated Rundeck users can view or delete jobs they do not have authorization for.
Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - https://host/context/rdJob/ -...
PT-2023-30317 · Rundeck · Rundeck
Name of the Vulnerable Software and Affected Versions: Rundeck versions prior to 4.17.3 Description: The issue allows authenticated users to access certain URL paths without necessary authorization checks, providing a list of job names and groups for any project. The affected URLs are...
CVE-2023-47107
PILOS is an open source front-end for BigBlueButton servers with a built-in load balancer. The password reset component deployed within PILOS uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to PILOS users...
Design/Logic Flaw
PILOS is an open source front-end for BigBlueButton servers with a built-in load balancer. The password reset component deployed within PILOS uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to PILOS users...
CVE-2023-47107
Summary of mode C (concrete details): PILOS, the BigBlueButton front-end, has a vulnerability in its password reset flow where the reset URL is built using the request host header. An attacker could lure affected users to a URL that points to the attacker’s server, potentially disclosing the pass...
CVE-2023-47107 PILOS account takeover through password reset poisoning
PILOS is an open source front-end for BigBlueButton servers with a built-in load balancer. The password reset component deployed within PILOS uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to PILOS users...