Every CVE whose affected-product data names Mitre Caldera, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (11)
CVE-2021-42559 — CVSS 8.8 (high): An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server…
CVE-2021-42561 — CVSS 8.8 (high): An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system"…
CVE-2020-19907 — CVSS 8.8 (high): A command injection vulnerability in the sandcat plugin of Caldera 2.3.1 and earlier allows authenticated attackers to execute any command…
CVE-2021-42560 — CVSS 8.8 (high): An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These…
CVE-2021-42562 — CVSS 8.1 (high): An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to…
CVE-2021-42558 — CVSS 6.1 (medium): An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by…
CVE-2022-40606 — CVSS 6.1 (medium): MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability…
CVE-2022-40605 — CVSS 6.1 (medium): MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability…
CVE-2022-41139 — CVSS 5.4 (medium): MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary…
CVE-2020-10807 — CVSS 5.3 (medium): auth_svc in Caldera before 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host…