Litmuschaos Litmus vulnerabilities

CVE-2025-14261 [HIGH] CWE-331 CVE-2025-14261: The Litmus platform uses JWT for authentication and authorization, but the secret being used for sig The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack.

CVE-2025-8794 [MEDIUM] CWE-285 CVE-2025-8794: A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.1 A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local access is required to approach this attack. The exploit has been disclosed t

CVE-2025-8796 [MEDIUM] CWE-862 CVE-2025-8796: A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. Thi A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack can be initiated remotely. The exploit has been disclos

CVE-2025-8792 [MEDIUM] CWE-602 CVE-2025-8792: A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affecte A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this di

CVE-2025-8791 [MEDIUM] CWE-266 CVE-2025-8791: A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This is A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor wa

CVE-2025-8797 [MEDIUM] CWE-266 CVE-2025-8797: A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue affects some unknown processing of the component LocalStorage Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about t

CVE-2025-8793 [MEDIUM] CWE-99 CVE-2025-8793: A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by this vulnerability is an unknown functionality. The manipulation of the argument projectID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was

CVE-2025-8795 [MEDIUM] CWE-266 CVE-2025-8795: A vulnerability, which was classified as critical, was found in LitmusChaos Litmus up to 3.19.0. Thi A vulnerability, which was classified as critical, was found in LitmusChaos Litmus up to 3.19.0. This affects an unknown part of the file /auth/login. The manipulation of the argument projectID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was

CVE-2009-2474 [MEDIUM] CVE-2009-2474: neon before 0 neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.