VYPR

Ngrinder

by Naver

Source repositories

CVEs (7)

  • CVE-2016-5060MedDec 13, 2016
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save.

  • CVE-2024-28212Mar 7, 2024
    risk 0.01cvss epss 0.01

    nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.

  • CVE-2024-28216Mar 7, 2024
    risk 0.00cvss epss 0.00

    nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.

  • CVE-2024-28215Mar 7, 2024
    risk 0.00cvss epss 0.01

    nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.

  • CVE-2024-28214Mar 7, 2024
    risk 0.00cvss epss 0.01

    nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.

  • CVE-2024-28213Mar 7, 2024
    risk 0.00cvss epss 0.01

    nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.

  • CVE-2024-28211Mar 7, 2024
    risk 0.00cvss epss 0.01

    nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.