Alfresco: Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2
CVSS Score
6.1
EPSS Score
0.002
Published
2022-03-04
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.
CVSS Score
8.8
EPSS Score
0.009
Published
2021-10-21
An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features).
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-21
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request is not available to the attacker, i.e., this is blind SSRF.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-10-21
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0
CVSS Score
9.3
EPSS Score
0.002
Published
2020-09-18
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account.
CVSS Score
8.8
EPSS Score
0.003
Published
2020-09-17
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.
CVSS Score
5.4
EPSS Score
0.009
Published
2020-03-02
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
CVSS Score
5.4
EPSS Score
0.007
Published
2020-03-02
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
CVSS Score
5.4
EPSS Score
0.009
Published
2020-03-02
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-12-02
Page 1