Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

N/A

BOS ID

-
N/A

Tags

-
N/A

Related Bos

-
N/A

Note

-
N/A
Mapped CVEsMapped VendorsRelated AssignersReports
0Vulnerabilities found
CVE-2023-22463
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-90.30% / 99.58%
||
7 Day CHG~0.00%
Published-04 Jan, 2023 | 15:04
Updated-10 Mar, 2025 | 21:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KubePi's Hardcoded Jwtsigkeys allows malicious actor to login with a forged JWT token

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.

Action-Not Available
Vendor-KubeOperator (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-kubepiKubePi
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2022-28074
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 43.18%
||
7 Day CHG~0.00%
Published-22 Apr, 2022 | 13:33
Updated-03 Aug, 2024 | 05:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.

Action-Not Available
Vendor-n/aFIT2CLOUD Inc.
Product-halon/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22124
Assigner-Mend
ShareView Details
Assigner-Mend
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.45%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22123
Assigner-Mend
ShareView Details
Assigner-Mend
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.97%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')