CVE-2021-20754

Improper input validation vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Workflow without the appropriate privilege...

Privilege escalation

There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege...

CVE-2021-20773

The CVE-2021-20773 vulnerability affects Cybozu Garoon 4.0.0 through 5.5.0. It allows a remote authenticated attacker to delete Workflow route information without the appropriate privileges, as described across multiple sources (e.g., Red Hat, NVD, JVN, CVE records). Affected components are tied ...

CVE-2021-20773

There is a vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.5.0, which may allow a remote authenticated attacker to delete the route information Workflow without the appropriate privilege...

CVE-2021-20754

CVE-2021-20754 involves Cybozu Garoon Workflow improper input validation. Affected: Cybozu Garoon versions 4.0.0–5.0.2. Vulnerability allows a remote authenticated attacker to alter Workflow data without the appropriate privilege (root cause: input validation flaw in the Workflow component). Impa...

CVE-2021-20754

Improper input validation vulnerability in Workflow of Cybozu Garoon 4.0.0 to 5.0.2 allows a remote authenticated attacker to alter the data of Workflow without the appropriate privilege...

CVE-2021-37425

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key...

CVE-2021-37425

CVE-2021-37425 affects Altova MobileTogether Server prior to 7.3 SP1. The issue is XML External Entity (XXE) processing that can allow a user with app access to read arbitrary files from the server filesystem (e.g., MobileTogether server config) and potentially read certificates/private keys, and...

GHSA-H563-XH25-X54Q Workflow re-write vulnerability using input parameter

Impact Allow end-users to set input parameters, but otherwise expect workflows to be secure. Patches Not yet. Workarounds Set EXPRESSIONTEMPLATES=false for the workflow controller References https://github.com/argoproj/argo-workflows/issues/6441 For more information If you have any questions or...

Workflow re-write vulnerability using input parameter

Impact Allow end-users to set input parameters, but otherwise expect workflows to be secure. Patches Not yet. Workarounds Set EXPRESSIONTEMPLATES=false for the workflow controller References https://github.com/argoproj/argo-workflows/issues/6441 For more information If you have any questions or...

CVE-2021-37549

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient...

CVE-2021-33333

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs...

CVE-2021-33333

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs...

Code injection

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs...

CVE-2021-33333

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19 and 7.2 before fix pack 6, does not properly check user permission, which allows remote authenticated users to view and delete workflow submissions via crafted URLs...

CVE-2021-33333

The CVE-2021-33333 entry describes a vulnerability in the Portal Workflow module of Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 6, where improper permission checks allow remote authenticated users to view and delete wor...

CVE-2021-33325

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the...

Default credentials

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the...

CVE-2021-33325

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the...

CVE-2021-37914

In Argo Workflows through 3.1.3, if EXPRESSIONTEMPLATES is enabled and untrusted users are allowed to specify input parameters when running workflows, an attacker may be able to disrupt a workflow because expression template output is evaluated...