ArtemBrylev
ArtemBrylev
/ CVE-2025-46547
Created
April 24, 2025 19:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-46547 | |
| ------------------------------------------ | |
| In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of | |
| an attacker conducting XSS attacks, Incorrect Access Control, or exploiting a SQL injection issue. | |
| ------------------------------------------ | |
| [Additional Information] | |
| I contacted the vendor in November 2024 and reported the existence of a vulnerability. |
ArtemBrylev
/ CVE-2025-46546
Last active
April 25, 2025 06:20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-46546 | |
| ------------------------------------------ | |
| In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects /api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, | |
| /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, /api/gui/task/list/. | |
| ------------------------------------------ | |
| [Additional Information] | |
| I contacted the vendor in November 2024 and reported the existence of a vulnerability. |
ArtemBrylev
/ CVE-2025-46545
Created
April 24, 2025 19:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-46545 | |
| ------------------------------------------ | |
| In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. | |
| The XSS payload can execute when the license expires. | |
| ------------------------------------------ | |
| [Additional Information] | |
| I contacted the vendor in November 2024 and reported the existence of a vulnerability. | |
| The vendor confirmed the vulnerability. |
ArtemBrylev
/ CVE-2025-46544
Created
April 24, 2025 19:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-46544 | |
| ------------------------------------------ | |
| In Sherpa Orchestrator 141851, Incorrect Access Control allows privilege escalation via role/user creation, due to missing user permission validation for most application requests. | |
| ------------------------------------------ | |
| [Additional Information] | |
| I contacted the vendor in November 2024 and reported the existence of a vulnerability. | |
| The vendor confirmed the vulnerability. |
ArtemBrylev
/ CVE-2021-28109
Created
March 17, 2021 13:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2021-28109 | |
| ------------------------------------------ | |
| TranzWare (POI) FIMI before 4.2.20.4.2 had an XSS vulnerability that was fixed with a notification sent to all customers using TranzWare (POI) FIMI. | |
| ------------------------------------------ | |
| [Additional Information] | |
| During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - TranzWare (POI) FIMI v.4.2.17.5. |