Apache Software Foundation Ibm Cloudant vulnerabilities

CVE-2023-45725 [MEDIUM] CWE-200 CVE-2023-45725: Design document functions which receive a user http request object may expose authorization or sessi Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document. These design document functions are: * list * show * rewrite * update An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as

CVE-2023-26268 [MEDIUM] CWE-200 CVE-2023-26268: Design documents with matching document IDs, from databases on the same cluster, may share a mutable Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list * filter * filter views (using view functions as filters) * rewrite * update This doesn't affect map/reduce or search (Dreyfus) index functions. U

CVE-2021-38295 [HIGH] CWE-79 CVE-2021-38295: In Apache CouchDB, a malicious user with permission to create documents in a database is able to att In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A s