PYSEC-2023-130

Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the...

CVE-2023-36826 Sentry vulnerable to improper authorization on debug and artifact file downloads

Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the...

CVE-2023-36826

Summary of CVE-2023-36826 (Sentry): Before 23.5.2, authenticated users could download a debug or artifact bundle from arbitrary organizations/projects using a known bundle ID, without needing membership or project permissions. Root cause: authorization checks were not properly scoped on the retri...

Improper authorization on debug and artifact file downloads

Impact An authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. Patches A patch was issued to ensure authorization checks are proper...

PT-2023-25715 · Sentry · Sentry

Name of the Vulnerable Software and Affected Versions: Sentry versions 8.21.0 through 23.5.1 Description: An authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID, without needing to be a member of the organization or having...

WordPress DokoBuilder : DIY Product Bundle for WooCommerce Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Software DokoBuilder : DIY Product Bundle for WooCommerce Type Plugin Vulnerable versions = 1.0 Fixed in 1.0.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 9b2f125227ce Credits Rafie...

Cross-site Scripting (XSS)

pimcore/admin-ui-classic-bundle is vulnerable to Cross-site Scripting XSS. The vulnerability exists if an admin user has not set up 2-factor authentication in twofactorsetup.html.twig , which allows an attacker to inject and execute malicious HTML or javascript through the /admin/login/2fa-setup...

Hardcoded credentials

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This...

CVE-2023-37280

Pimcore Admin Classic Bundle (ExtJS-based Backend UI) contains a cross-site scripting vulnerability (CVE-2023-37280) that can be exploited by any admin who has not set up two-factor authentication, without extra privileges. The issue allows execution of arbitrary scripts/HTML content via the admi...

CVE-2023-37280 Pimcore admin UI vulnerable to Cross-site Scripting in two factor authentication setup page

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This...

Pimcore 跨站脚本漏洞

Pimcore is Austria Pimcore company's set of open source for creating and managing Web applications Web content management platform. The platform integrates Web content management, e-commerce frameworks and product information management applications. A cross-site scripting vulnerability exists in...

CVE-2023-20899

VMware SD-WAN Edge contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management...

CVE-2023-20899

VMware SD-WAN Edge contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management...

Authentication flaw

VMware SD-WAN Edge contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management...

CVE-2023-20899

VMware SD-WAN Edge contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management...

CVE-2023-20899

VMware SD-WAN Edge contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management...

GHSA-2Q4P-F6GF-MQR5 Graylog server has partial path traversal vulnerability in Support Bundle feature

A partial path traversal vulnerability exists in Graylog's Support Bundle feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. Impact Graylog's Support Bundle...

Graylog server has partial path traversal vulnerability in Support Bundle feature

A partial path traversal vulnerability exists in Graylog's Support Bundle feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. Impact Graylog's Support Bundle...

PT-2023-27757 · Graylog · Graylog

Name of the Vulnerable Software and Affected Versions: Graylog versions prior to 5.1.3 Description: A partial path traversal vulnerability exists in Graylog's Support Bundle feature, caused by incorrect user input validation in an HTTP API resource. This allows an attacker with valid Admin role...

DEBIAN-CVE-2023-0767

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox 110, Thunderbird 102.8, and Firefox ESR 102.8...