This page lists publicly disclosed CVE vulnerabilities affecting thycotic secret_server (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-41845 | A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. The only affected versions are 10.9.000032 through 11.0.000006. | [email protected] | 6.5 | 0.22% | 2021-10-01 | 2024-11-21 |
| CVE-2019-18357 | An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2). | [email protected] | 6.1 | 0.31% | 2019-10-23 | 2024-11-21 |
| CVE-2019-18356 | An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2). | [email protected] | 6.1 | 0.31% | 2019-10-23 | 2024-11-21 |
| CVE-2019-18355 | An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. | [email protected] | 9.8 | 0.42% | 2019-10-23 | 2024-11-21 |
| CVE-2014-4861 | The Remote Desktop Launcher in Thycotic Secret Server before 8.6.000010 does not properly cleanup a temporary file that contains an encrypted password once a session has ended. | [email protected] | 9.8 | 0.50% | 2018-03-09 | 2024-11-21 |
| CVE-2017-11725 | The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections. | [email protected] | 5.4 | 0.16% | 2017-07-29 | 2026-05-13 |
| CVE-2015-3443 | Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask. | [email protected] | 3.5 | 1.52% | 2015-07-02 | 2026-05-06 |
| CVE-2015-4094 | The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | [email protected] | 5.8 | 0.08% | 2015-06-02 | 2026-05-06 |