CVE-2019-18357
published 2019-10-23CVE-2019-18357: An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2).
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.78%
51.5th percentile
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopware | shopware | 5.3.0 – 5.6.0 | — |
| thycotic | secret_server | < 10.7.000000 | 10.7.000000 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x3g9-prx7-8c62: An XSS issue was discovered in Thycotic Secret Server before 10
ghsa_unreviewed·2022-05-24
CVE-2019-18357 [MEDIUM] CWE-79 GHSA-x3g9-prx7-8c62: An XSS issue was discovered in Thycotic Secret Server before 10
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2).
GHSA
Shopware Insecure Deserialization Vulnerability
ghsa·2022-05-24·CVSS 6.5
CVE-2019-12799 [MEDIUM] CWE-502 Shopware Insecure Deserialization Vulnerability
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-10-23
Published