Portainer
by Portainer
Source repositories
CVEs (27)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-16872 | 0.00 | — | 0.01 | Nov 7, 2019 | Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4). | |||
| CVE-2019-16874 | 0.00 | — | 0.01 | Nov 7, 2019 | Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4). | |||
| CVE-2019-16873 | 0.00 | — | 0.01 | Nov 7, 2019 | Portainer before 1.22.1 has XSS (issue 1 of 2). | |||
| CVE-2018-19466 | 0.00 | — | 0.04 | Mar 27, 2019 | A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls. | |||
| CVE-2018-19367 | 0.00 | — | 0.01 | Nov 20, 2018 | Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case. | |||
| CVE-2018-16316 | Med | 0.00 | 5.4 | 0.01 | Sep 1, 2018 | A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field. | ||
| CVE-2018-12678 | Cri | 0.00 | 9.8 | 0.02 | Jun 22, 2018 | Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks. |
- CVE-2019-16872Nov 7, 2019risk 0.00cvss —epss 0.01
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4).
- CVE-2019-16874Nov 7, 2019risk 0.00cvss —epss 0.01
Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4).
- CVE-2019-16873Nov 7, 2019risk 0.00cvss —epss 0.01
Portainer before 1.22.1 has XSS (issue 1 of 2).
- CVE-2018-19466Mar 27, 2019risk 0.00cvss —epss 0.04
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.
- CVE-2018-19367Nov 20, 2018risk 0.00cvss —epss 0.01
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
- risk 0.00cvss 5.4epss 0.01
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field.
- risk 0.00cvss 9.8epss 0.02
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.
Page 2 of 2