9 matches found
CVE-2023-36649
ProLion CryptoSpike 3.0.15P2 is affected by an authentication/authorization issue arising from insertion of sensitive information into the centralized Grafana logging system, enabling remote attackers to impersonate other users in web management and REST API by reading JWT tokens from logs or the...
CVE-2023-36652
CVE-2023-36652 describes a SQL injection in ProLion CryptoSpike 3.0.15P2's users searching REST API endpoint. The underlying issue is unsafely constructed SQL in the search parameter, allowing remote authenticated attackers to read database data. Affected product: ProLion CryptoSpike (version 3.0...
CVE-2023-36654
ProLion CryptoSpike 3.0.15P2 contains a directory-traversal vulnerability in the log-download REST API endpoint. By injecting paths into API parameters, remote authenticated attackers can download SSH private keys from the host server (root-owned). Root cause: path traversal in the log-download e...
CVE-2023-36648
The CVE-2023-36648 issue affects ProLion CryptoSpike 3.0.15P2, where missing authentication in the internal data streaming system allows remote unauthenticated access to Apache Kafka as a consumer or producer. This exposes potentially sensitive information and can cause denial of service by direc...
CVE-2023-36655
ProLion CryptoSpike 3.0.15P2 exposes a login REST API weakness when LDAP/AD is used as the user store: a remote blocked user can obtain an authentication token by supplying a username with mixed upper/lowercase. The issue is documented in CVE-2023-36655 across multiple feeds (NVD, CVE lists, vend...
CVE-2023-36647
Summary: CVE-2023-36647 affects ProLion CryptoSpike 3.0.15P2, where a hard-coded cryptographic private key is used to sign JWTs, enabling remote impersonation of users/roles in web management and REST API endpoints. The vulnerability arises from the use of a private key embedded in the product, e...
CVE-2023-36646
CVE-2023-36646 affects ProLion CryptoSpike 3.0.15P2. The issue is incorrect user role checking in multiple REST API endpoints, enabling a remote attacker with low privileges to call privileged functions and achieve privilege escalation via REST endpoint invocation. The NVD entry rates the impact ...
CVE-2023-36650
CVE-2023-36650 concerns ProLion CryptoSpike 3.0.15P2, where a missing integrity check in the software’s update system allows an attacker to run OS commands as root on the host via forged updates. The vulnerability affects the update mechanism (update system) and the root-level impact is described...
CVE-2023-36651
Summary: CVE-2023-36651 affects ProLion CryptoSpike 3.0.15P2. The issue arises from hidden and hard-coded credentials that let remote attackers log in to web management as super-admin and access the most privileged REST API endpoints. The available sources consistently describe the vulnerability ...