8 matches found
CVE-2022-31358
CVE-2022-31358 is a reflected XSS in Proxmox Virtual Environment before v7.2-3. The issue allows remote attackers to execute arbitrary web scripts/HTML by accessing non-existent endpoints under /api2/html/. Affected software: Proxmox VE versions prior to 7.2-3. Root cause/impact: reflected XSS wi...
CVE-2022-35508
Proxmox CVE-2022-35508 enables SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon, exploitable by an unprivileged user to disclose server files. In Proxmox Mail Gateway, there is also a privilege escalation route to root@pam if backup artifacts were used, because pmg-backup...
CVE-2023-43320
Affected products and versions: Proxmox VE 5.4–8.0, Proxmox Backup Server 1.1–3.0, and Proxmox Mail Gateway 7.1–8.0. Vulnerability: remote authenticated attacker can escalate privileges by bypassing the two‑factor authentication component. Root cause/impact: authentication bypass enabling privile...
CVE-2022-35507
Proxmox VE/PMG web interfaces are affected by a response-header CRLF injection in pve-http-server. An attacker can cause a client-side DoS by injecting CRLF into response headers to set cookies longer than the server expects, notably affecting Chromium-based browsers using %0d. Affected versions ...
CVE-2014-4156
Proxmox VE prior to 3.2 has a User Enumeration vulnerability in AccessControl.pm . The issue is described across sources (NVD, RH, CVE registries) as a vulnerability affecting Proxmox VE before version 3.2, named “AccessControl.pm User Enumeration Vulnerability.” Public references note a moderate...
CVE-2025-57539
Vulnerability summary (CVE-2025-57539) : Proxmox Virtual Environment 8.4 is affected by a stored XSS in the U2F Origin field of the Datacenter configuration. Authenticated users can store input that is rendered unsafely in the Web UI and executed when viewed by others, potentially enabling sessio...
CVE-2025-57538
The CVE-2025-57538 entry describes a stored XSS flaw in Proxmox Virtual Environment (PVE) 8.4, lodged in the HTTP Proxy field of the Datacenter configuration panel. An authenticated user can inject input that is stored and later executes in other users’ browsers when viewing the affected page, en...
CVE-2025-57540
CVE-2025-57540 describes a stored cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment (PVE) 8.4, specifically in the WebAuthn Relying Party field of the Datacenter configuration. The issue allows authenticated users to inject JavaScript that runs in the browsers of others who ...