Description | Reported date | Severity | Affected versions | Fixed Versions | Reported by |
---|---|---|---|---|---|
SQL Injection on Product Search Field. | 3 May 2021 | High | >= 3.10 up to 3.12.0 (included) |
3.12.1 |
Internal development team. |
Stored Cross-Site-Scripting vulnerability using the "Insert Question" action in the rules editor. | 4 Dec 2020 | Medium | IriusRisk 1.x to 3.7.1 |
IriusRisk 3.8.0 |
Discovered during internal security reviews. |
Security - Admin interface Publicly Available - SAML /metadata endpoint. The use of this interface could cause an application DoS. | 19 Nov 2020 | High | IriusRisk 2.4.0 up to 3.6.0 |
IriusRisk 2.4.12, 3.6.1 and 3.6.2 |
A customer. |
Stored Cross-Site-Scripting vulnerability for username variable |
04 Feb 2020 | Medium | IriusRisk 1.x to 2.3.3 |
IriusRisk 2.4.0 |
Discovered during internal security reviews. |
Library importation process allows Remote Command Execution (RCE). Java code can be mixed with the Java Drools specifications. This problem is mitigated by the fact the user has to have full permisions to update rules within the system. |
31 Jan 2020 | High | IriusRisk 1.x to 2.3.3 | IriusRisk 2.4.0 | Discovered during internal security reviews. |
Stored Cross-Site-Scripting vulnerability for Tag variable in "Edit dataflow" window
|
30 Dec 2019 | Medium | IriusRisk 1.x to 2.3.3 | IriusRisk 2.4.0 | Discovered during internal security reviews. |
Stored Cross-Site-Scripting vulnerability for Issue Id variable in Countermeasures tab |
19 Dec 2019 | Medium | IriusRisk 1.x to 2.4.0 | IriusRisk 2.4.0 | Discovered during internal security reviews. |
Stored Cross-Site-Scripting vulnerability in UI exception messages. |
09 May 2019 | Medium | IriusRisk 1.x to 2.0.0 | IriusRisk 2.1.0 | Discovered during internal security reviews. |
Bad permission check over the /api/v1/users API endpoint. DELETE to delete users does not correctly check ALL_USERS_UPDATE or MANAGE_USERS_BU permission. |
Medium | IriuRisk 1.9.0 to 1.12.1 | IriusRisk 2.x branch. | Discovered during internal security reviews. | |
Bad permission check over the /api/v1/users API endpoint. POST to create users does not correctly check ALL_USERS_UPDATE permission. This endpoint only supports user pre-creation when IriusRisk is integrated with LDAP or SAML IdPs. |
Medium | IriusRisk 1.8.0 to 1.12.1 | IriusRisk 2.x branch. | Discovered during internal security reviews. | |
Password returned in clear-text response vulnerability - fixed in integration modules. |
|
Medium | IriusRisk 1.x branch. | IriusRisk 2.x branch. | Pramod Rana | Security Engineer. |
Updated our validation filter to fix an stored cross-site scripting vulnerability in "My Recent Activity" view. |
|
High | IriusRisk 1.x branch < 1.12.1 | IriusRisk 1.12.1 and IriusRisk 2.x branch. | Discovered during internal security reviews. |
Comments
0 comments
Article is closed for comments.