ErambaCVEs & Vulnerabilities

9 CVEs affecting Eramba products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

eramba 11
CVE-2023-36255HIGH

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

3 Aug 2023
8.8
CVSS
CVE-2022-43342MEDIUM

A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field.

14 Nov 2022
5.4
CVSS
CVE-2020-28031MEDIUM

eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users.

3 Nov 2020
4.3
CVSS
CVE-2020-25105CRITICAL

eramba c2.8.1 and Enterprise before e2.19.3 has a weak password recovery token (createHash has only a million possibilities).

3 Sep 2020
9.8
CVSS
CVE-2020-25104MEDIUM

eramba c2.8.1 and Enterprise before e2.19.3 allows XSS via a crafted filename for a file attached to an object. For example, the filename has a complete XSS payload followed by the .png extension.

3 Sep 2020
5.4
CVSS
CVE-2018-7997MEDIUM

Eramba e1.0.6.033 has Reflected XSS on the Error page of the CSV file inclusion tab of the /importTool/preview URI, with a CSV file polluted with malicious JavaScript.

9 Mar 2018
6.1
CVSS
CVE-2018-7996MEDIUM

Eramba e1.0.6.033 has Stored XSS on the tooltip box via the /programScopes description parameter.

9 Mar 2018
6.1
CVSS
CVE-2018-7894MEDIUM

Eramba e1.0.6.033 has Reflected XSS in reviews/filterIndex/ThirdPartyRiskReview via the advanced_filter parameter (aka the Search Parameter).

9 Mar 2018
6.1
CVSS
CVE-2018-7741MEDIUM

Eramba e1.0.6.033 has Reflected XSS in the Date Filter via the created parameter to the /crons URI.

7 Mar 2018
6.1
CVSS
← PrevPage 1 / 1Next →