Prolion

prolion

9 CVEs • 1 product

Products (1)

Click to collapse

Toggle

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-36654 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting pa...Show more Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.Show less
CVE-2023-36652 1Prolion 1Cryptospike May 27, 2025 Dec 12, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter.
CVE-2023-36651 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Hidden and hard-coded credentials in ProLion CryptoSpike 3.0.15P2 allow remote attackers to login to web management as super-admin and consume the most privileged REST API endpoints via these credentials.
CVE-2023-36650 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A missing integrity check in the update system in ProLion CryptoSpike 3.0.15P2 allows attackers to execute OS commands as the root Linux user on the host system via forged update packages.
CVE-2023-36649 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens f...Show more Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate other users in web management and the REST API by reading JWT tokens from logs (as a Granafa authenticated user) or from the Loki REST API without authentication.Show less
CVE-2023-36648 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and...Show more Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by directly reading and writing data in Apache Kafka (as consumer and producer).Show less
CVE-2023-36647 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via...Show more A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens.Show less
CVE-2023-36646 1Prolion 1Cryptospike Nov 21, 2024 Dec 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpo...Show more Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.Show less
CVE-2023-36655 1Prolion 1Cryptospike Nov 21, 2024 Dec 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The login REST API in ProLion CryptoSpike 3.0.15P2 (when LDAP or Active Directory is used as the users store) allows a remote blocked user to login and obtain an authentication token by specifying a username with differe...Show more The login REST API in ProLion CryptoSpike 3.0.15P2 (when LDAP or Active Directory is used as the users store) allows a remote blocked user to login and obtain an authentication token by specifying a username with different uppercase/lowercase character combination.Show less