Logpoint: Security Vulnerabilities
An issue was discovered in Logpoint before 7.5.0. Endpoints for creating, editing, or deleting third-party authentication modules lacked proper authorization checks. This allowed unauthenticated users to register their own authentication plugins in Logpoint, resulting in unauthorized access.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-11-07
An issue was discovered in Logpoint before 7.5.0. Unvalidated input during the EventHub Collector setup by an authenticated user leads to Remote Code execution.
CVSS Score
6.4
EPSS Score
0.018
Published
2024-11-07
An issue was discovered in Logpoint SAML Authentication before 6.0.3. An attacker can place a crafted filename in the state field of a SAML SSO-URL response, and the file corresponding to this filename will ultimately be deleted. This can lead to a SAML Authentication login outage.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-05-27
An issue was discovered in Logpoint before 7.4.0. HTML code sent through logs wasn't being escaped in the "Interesting Field" Web UI, leading to XSS.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-05-07
An issue was discovered in Logpoint before 7.4.0. It allows Local File Inclusion (LFI) when an arbitrary File Path is used within the File System Collector. The content of the file specified can be viewed in the incoming logs.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-05-07
An issue was discovered in Logpoint before 7.4.0. An attacker can enumerate a valid list of usernames by observing the response time at the Forgot Password endpoint.
CVSS Score
5.3
EPSS Score
0.004
Published
2024-05-07
An issue was discovered in Logpoint before 7.4.0. Due to a lack of input validation on URLs in threat intelligence, an attacker with low-level access to the system can trigger Server Side Request Forgery.
CVSS Score
9.6
EPSS Score
0.002
Published
2024-05-07
An issue was discovered in Logpoint before 7.4.0. A path injection vulnerability is seen while adding a CSV enrichment source. The source_name parameter could be changed to an absolute path; this will write the CSV file to that path inside the /tmp directory.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-05-07
In Logpoint before 7.4.0, an attacker can enumerate a valid list of usernames by using publicly exposed URLs of shared widgets.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-05-01
An issue was discovered in Logpoint before 7.1.1. Template injection was seen in the search template. The search template uses jinja templating for generating dynamic data. This could be abused to achieve code execution. Any user with access to create a search template can leverage this to execute code as the loginspect user.
CVSS Score
8.4
EPSS Score
0.003
Published
2024-04-27