61 matches found
Versa Concerto API Path Based - Authentication Bypass
Authentication bypass in the Versa Concerto API, caused by URL decoding inconsistencies. It allowed unauthorized access to certain API endpoints by manipulating the URL path.This issue enabled attackers to bypass authentication controls and access restricted resources. id: CVE-2025-34027 info:...
Versa Concerto Actuator Endpoint - Authentication Bypass
An authentication bypass vulnerability affected the Spring Boot Actuator endpoints in Versa Concerto due to improper handling of the X-Real-Ip header.Attackers could access restricted endpoints by omitting this header.The issue allowed unauthorized access to sensitive functionality, highlighting...
CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency CISA on Thursday added four security flaws to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2025-68645 CVSS score: 8.8 - A PHP remote fi...
Versa Concerto Improper Authentication Vulnerability
Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs...
CVE-2021-31930
Persistent cross-site scripting XSS in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the...
EUVD-2025-199346
Malicious code in @accordproject/concerto-types npm...
@accordproject/concertino (>=1.0.0-alpha.3 <=1.0.0-alpha.6) potentially affected by unknown CVE via @accordproject/concerto-types (=3.22.0)
@accordproject/concerto-types NPM version =3.22.0 is affected by a known vulnerability. The following packages have a transitive dependency on @accordproject/concerto-types and may be impacted: - @accordproject/concertino =1.0.0-alpha.3, =1.0.0-alpha.6 Source cves: unknown CVE Source advisory:...
MAL-2025-191174 Malicious code in @accordproject/concerto-metamodel (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1581131b6f7d752a2f26c167db5c144e33b737febc23f3e156f76a1b68e763ae The package @accordproject/concerto-metamodel was found to contain malicious code. Source: ghsa-malware...
EUVD-2025-199347
Malicious code in @accordproject/concerto-metamodel npm...
@accordproject/cicero-cli (>=0.23.1-20221017150218 <=0.25.1-20250329112129), @accordproject/cicero-core (>=0.23.1-20221017150218 <=0.25.1-20250329112129) +29 more potentially affected by unknown CVE via @accordproject/concerto-metamodel (>=3.0.0-alpha.1 <=3.12.4)
@accordproject/concerto-metamodel NPM version =3.0.0-alpha.1, =0.23.1-20221017150218, =0.23.1-20221017150218, =0.23.1-20221017150218, =0.23.1-20221017150218, =0.23.1-20221017150218, =0.23.1-20221017150218, =0.0.9, =1.0.0-alpha.3, =3.0.0, =3.0.0, =3.23.1, =3.0.0, =3.0.0, =3.22.1-20250619101610,...
EUVD-2025-199348
Malicious code in @accordproject/concerto-linter-default-ruleset npm...
MAL-2025-191173 Malicious code in @accordproject/concerto-linter-default-ruleset (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9f48c313afcaf0a201a7b16889d968e2694c7e3751cc334b257de8f8084d9df The package @accordproject/concerto-linter-default-ruleset was found to contain malicious code. Source: ghsa-malware...
EUVD-2025-199349
Malicious code in @accordproject/concerto-linter npm...
MAL-2025-191172 Malicious code in @accordproject/concerto-linter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a266ef73fe4cd4e7227a57de2c97b342daf2ae0aed81e06b41bd9a55ab02d24 The package @accordproject/concerto-linter was found to contain malicious code. Source: ghsa-malware...
Malicious code in @accordproject/concerto-linter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a266ef73fe4cd4e7227a57de2c97b342daf2ae0aed81e06b41bd9a55ab02d24 The package @accordproject/concerto-linter was found to contain malicious code. Source: ghsa-malware...
@accordproject/concerto-cli (=3.18.1-20251008112859) potentially affected by unknown CVE via @accordproject/concerto-linter (=3.24.0)
@accordproject/concerto-linter NPM version =3.24.0 is affected by a known vulnerability. The following packages have a transitive dependency on @accordproject/concerto-linter and may be impacted: - @accordproject/concerto-cli =3.18.1-20251008112859 Source cves: unknown CVE Source advisory:...
EUVD-2025-199350
Malicious code in @accordproject/concerto-analysis npm...
MAL-2025-191171 Malicious code in @accordproject/concerto-analysis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd4dfaf2dbfd72597ed98e94903934d34e97ddd5dc4f7aeb7f5450767cb3a34c The package @accordproject/concerto-analysis was found to contain malicious code. Source: ghsa-malware...
@accordproject/concerto-cli (>=3.0.0 <=3.18.1-20251008112859) potentially affected by unknown CVE via @accordproject/concerto-analysis (>=3.0.0-alpha.2 <=3.24.0)
@accordproject/concerto-analysis NPM version =3.0.0-alpha.2, =3.0.0, =3.18.1-20251008112859 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191171...
@accordproject/concerto-metamodel contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...