Sherpa Orchestrator

sherpa_orchestrator

Vendor: Sherparpa • 4 CVEs

CVEs (4)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-46547 1Sherparpa 1Sherpa Orchestrator Oct 16, 2025 Apr 25, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.
CVE-2025-46546 1Sherparpa 1Sherpa Orchestrator Oct 16, 2025 Apr 25, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export...Show more In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.Show less
CVE-2025-46545 1Sherparpa 1Sherpa Orchestrator Oct 15, 2025 Apr 25, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.
CVE-2025-46544 1Sherparpa 1Sherpa Orchestrator Oct 15, 2025 Apr 25, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.