CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

Authentication flaw

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

PT-2024-40900 · Crateio · Cratedb

Name of the Vulnerable Software and Affected Versions: CrateDB version 5.5.1 Description: The issue concerns an authentication bypass in the Admin UI component. It can be exploited by setting the X-Real-IP request header to a specific value, allowing access to the Admin UI using the default user...

CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

CVE-2023-51982

CrateDB 5.5.1 exposes an authentication bypass in the Admin UI. When password authentication is configured, an X-Real-IP header can bypass identity checks, allowing direct Admin UI access with the default user identity. Reported as CVE-2023-51982 with a CRITICAL CVSS v3.1 score (9.8). Affected: A...

CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

Allocation of Resources Without Limits in Keycloak

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...

GHSA-54F3-C6HG-865H Allocation of Resources Without Limits in Keycloak

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...

Memory corruption

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...

EnBw SENEC Legacy Storage Box Security Vulnerability

The EnBw SENEC Legacy Storage Box is a series of storage boxes from the German company EnBw. A security vulnerability exists in EnBw SENEC Legacy Storage Box versions V1, V2, and V3, which stems from an administrator credentials disclosure, and can be exploited by an attacker to gain access to th...

CVE-2023-49075 Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

The Admin Classic Bundle provides a Backend UI for Pimcore. AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor...

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

Impact AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the 2 factor credentials. Patches Apply patch...

GHSA-9WWG-R3C7-4VFG Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

Impact AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the 2 factor credentials. Patches Apply patch...

Full Path Disclosure

pimcore/admin-ui-classic-bundle is vulnerable to full path disclosure vulnerability. The vulnerability is caused due to a missing error detection while the server retrieves the path of a file. This enables the attacker to have the full path of the file they want to view. The attacker can use this...

HTML Injection

ethyca-fides is vulnerable to HTML Injection. The vulnerability arises due lack of of input validation coming from connected systems and data stores which is reflected in the downloaded data. This results in an HTML injection that can be abused to perform phishing attacks or malicious JS executio...

Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

Impact The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being...

CVE-2023-5771

Proofpoint Enterprise Protection contains a stored XSS vulnerability in the AdminUI. An unauthenticated attacker can send a specially crafted email with HTML in the subject which triggers XSS when viewing quarantined messages. This issue affects Proofpoint Enterprise Protection: from 8.20.0 befor...

GHSA-6F58-J323-6472 pimcore/admin-ui-classic-bundle Unverified Password Change

Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on - "User | My Profile". 3. Go to...