StackStorm 0.11.4

CPE Details

StackStorm 0.11.4
stackstorm
stackstorm
0.11.4
2019-03-11
15h17 +00:00
2019-03-11
15h17 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:stackstorm:stackstorm:0.11.4:*:*:*:*:*:*:*

Informations

Vendor

stackstorm

Product

stackstorm

Version

0.11.4

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-43706 2022-12-05 00h00 +00:00 Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be executed in Web UI for other logged in users.
5.4
Medium
CVE-2021-44657 2021-12-15 13h28 +00:00 In StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.
8.8
High
CVE-2021-28667 2021-03-18 01h16 +00:00 StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).
7.5
High
CVE-2019-9580 2019-03-09 03h00 +00:00 In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.
6.1
Medium
CVE-2018-20345 2018-12-21 19h00 +00:00 Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=" query filter parameters. Enterprise editions with RBAC enabled are not affected.
5.3
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.