Accenture/AARO-Bugs

An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.

The foldername parameter in Bolt 5.1.7 was discovered to have incorrect input validation, allowing attackers to perform directory enumeration or cause a Denial of Service (DoS) via a crafted input.

Tricentis qTest before 10.4 allows stored XSS by an authenticated attacker.

In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.

Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.

Trace Financial Crest Bridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.

Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.

Trace Financial CRESTBridge <6.3.0.02 contains a stored XSS vulnerability, which was fixed in 6.3.0.03.

An Insecure Direct Object Reference (IDOR) vulnerability in Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify any existing user, including users assigned to different environments and clients. It was fixed in v2021.1.0.2.

Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to escalate privileges to superadministrator. It was fixed in v2021.1.0.2.

SmartStream Transaction Lifecycle Management (TLM) Reconciliation Premium (RP) <3.1.0 allows XSS. This was fixed in TLM RP 3.1.0.

Annex Cloud Loyalty Experience Platform <2021.1.0.1 allows any authenticated attacker to modify loyalty campaigns and settings, such as fraud prevention, coupon groups, email templates, or referrals.

OpenIAM before 4.2.0.3 does not verify if a user has permissions to perform /webconsole/rest/api/* administrative actions.

OpenIAM before 4.2.0.3 has Incorrect Access Control for the Create User, Modify User Permissions, and Password Reset actions.

OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script.

OpenIAM before 4.2.0.3 allows Directory Traversal in the Batch task.

OpenIAM before 4.2.0.3 allows XSS in the Add New User feature.

Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, affecting all versions prior to R20-2 GA. Fixed in version R20-2 GA.

Username enumeration in present in Tufin SecureTrack. It's affecting all versions of SecureTrack. The vendor has decided not to fix this vulnerability. Vendor's response: "This attack requires access to the internal network. If an attacker is part of the internal network, they do not require access to TOS to know the usernames".

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were present in Tufin SecureTrack, affecting all versions prior to R20-2 GA.

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 3 of 3)

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 2 of 3)

Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in, the value is reflected back to the user, but is also stored within the DB and can be later triggered again by the same victim, or also later by different users). Both stored, and reflected payloads are triggerable by admin, so malicious non-authenticated user could get admin level access. Even malicious low-privileged user can inject XSS, which can be executed by admin, potentially elevating privileges and obtaining admin access. (issue 1 of 3)

Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1.

Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) unauthenticated users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1 are affected. Vulnerabilities were fixed in R19.3 HF3 and R20-1 HF1