opencrx 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、vendor risk xxe, and vendor risk ssrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2023-27151 | openCRX 5.2.0 was discovered to contain an HTML injection vulnerability for Search Criteria-Activity Number (in the Saved Search Activity) via the Name, Description, or Activity Number field. | [email protected] | 6.1 | 0.45% | 2024-02-29 | 2025-05-08 |
| CVE-2023-27150 | openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity. | [email protected] | 5.4 | 0.40% | 2023-12-26 | 2024-11-21 |
| CVE-2023-40817 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40816 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40815 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40814 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40813 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40812 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40810 | OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-40809 | OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number. | [email protected] | 6.1 | 0.46% | 2023-11-18 | 2024-11-21 |
| CVE-2023-46502 | An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. | [email protected] | 9.8 | 0.72% | 2023-10-30 | 2024-11-21 |
| CVE-2022-40084 | OpenCRX before v5.2.2 was discovered to be vulnerable to password enumeration due to the difference in error messages received during a password reset which could enable an attacker to determine if a username, email or ID is valid. | [email protected] | 5.3 | 0.63% | 2022-10-20 | 2025-05-08 |
| CVE-2021-25959 | In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance. | [email protected] | 6.1 | 0.84% | 2021-09-29 | 2024-11-21 |
| CVE-2020-7378 | CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020. | [email protected] | 9.1 | 2.62% | 2020-11-24 | 2024-11-21 |