Caldera@* Security Vulnerabilities and Issues — Caldera@* CVE List

Lucene search

MitreCaldera*

10 matches found

CVE•added 2025/02/24 7:15 p.m.•129 views

CVE-2025-27364

In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web re...

10CVSS8.5AI score0.00941EPSS

CVE•added 2020/03/22 4:15 p.m.•44 views

CVE-2020-10807

auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header.

5.3CVSS5.4AI score0.00297EPSS

CVE•added 2022/01/12 7:15 p.m.•41 views

CVE-2021-42562

An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.

8.1CVSS7.8AI score0.00882EPSS

CVE•added 2022/01/12 8:15 p.m.•40 views

CVE-2021-42559

An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.

8.8CVSS8.8AI score0.02989EPSS

CVE•added 2022/01/12 7:15 p.m.•39 views

CVE-2021-42561

An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute...

9CVSS8.9AI score0.10288EPSS

CVE•added 2022/10/17 9:15 p.m.•38 views

CVE-2022-40606

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605.

6.1CVSS5.8AI score0.00113EPSS

CVE•added 2022/10/17 8:15 p.m.•37 views

CVE-2022-40605

MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606.

6.1CVSS5.8AI score0.00113EPSS

CVE•added 2022/10/17 8:15 p.m.•35 views

CVE-2022-41139

MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents.

5.4CVSS5.5AI score0.00105EPSS

CVE•added 2022/01/12 8:15 p.m.•34 views

CVE-2021-42558

An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers.

6.1CVSS6.1AI score0.02148EPSS

CVE•added 2021/07/12 8:15 p.m.•33 views

CVE-2020-19907

A command injection vulnerability in the sandcat plugin of Caldera 2.3.1 and earlier allows authenticated attackers to execute any command or service.

8.8CVSS8.8AI score0.04201EPSS