RSS   Vulnerabilities for 'Arangodb'   RSS

2022-02-09
 
CVE-2021-25939

CWE-918
 

 
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

 
2021-11-16
 
CVE-2021-25940

CWE-613
 

 
In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user�??s password is changed by the administrator, the session isn�??t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

 
2021-05-24
 
CVE-2021-25938

CWE-79
 

 
In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers.

 


Copyright 2024, cxsecurity.com

 

Back to Top