Vulnerabilites related to btcpayserver - btcpay_server
Vulnerability from fkie_nvd
Published
2021-05-05 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5050DF6F-E9D9-411A-94E4-8B3C96EDB32C",
"versionEndIncluding": "1.0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing."
},
{
"lang": "es",
"value": "BTCPay Server versiones hasta 1.0.7.0, sufre una vulnerabilidad de tipo Cross Site Scripting (XSS) almacenado dentro de la funcionalidad POS Add Products.\u0026#xa0;Esto permite el robo de cookies"
}
],
"id": "CVE-2021-29250",
"lastModified": "2024-11-21T06:00:53.067",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T13:15:07.787",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-02 05:15
Modified
2024-11-21 07:38
Severity ?
Summary
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF93CD27-A3BD-4F17-BE43-6E1F3E795E04",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0."
}
],
"id": "CVE-2023-1149",
"lastModified": "2024-11-21T07:38:33.287",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 4.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-02T05:15:11.647",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-76"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-26 23:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/btcpay-server-1-0-6-0/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/btcpay-server-1-0-6-0/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6D1B717-841B-4D4B-9FAC-29113EA7288B",
"versionEndExcluding": "1.0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability."
},
{
"lang": "es",
"value": "BTCPay Server versiones anteriores a 1.0.6.0, cuando es usado el bot\u00f3n de pago, presenta una vulnerabilidad de privacidad."
}
],
"id": "CVE-2021-29249",
"lastModified": "2024-11-21T06:00:52.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-26T23:15:11.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-17 02:15
Modified
2024-11-21 07:38
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C4246CD-7443-49C2-A4DB-E030E01F856A",
"versionEndExcluding": "1.7.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) almacenado en el repositorio de GitHub btcpayserver/btcpayserver antes de la versi\u00f3n 1.7.12."
}
],
"id": "CVE-2023-0879",
"lastModified": "2024-11-21T07:38:01.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-17T02:15:10.680",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4635/commits/f2f3b245c4d8980d8e54e4708c796df82332c3d7"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch"
],
"url": "https://huntr.dev/bounties/9464e3c6-961d-4e23-8b3d-07cbb31de541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4635/commits/f2f3b245c4d8980d8e54e4708c796df82332c3d7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://huntr.dev/bounties/9464e3c6-961d-4e23-8b3d-07cbb31de541"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 05:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker use cases in which a mail server is configured.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26CEEA4C-3BF8-4319-9ECA-A8E58F05E776",
"versionEndExcluding": "1.0.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings \u003e Policies). This affects Docker use cases in which a mail server is configured."
},
{
"lang": "es",
"value": "BTCPay Server versiones anteriores a 1.0.7.1, maneja inapropiadamente la configuraci\u00f3n de pol\u00edtica en la que unos usuarios pueden registrarse (en Server Settings ) Policies).\u0026#xa0;Esto afecta a los casos de uso de Docker en los que se configura un servidor de correo."
}
],
"id": "CVE-2021-29251",
"lastModified": "2024-11-21T06:00:53.213",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T05:15:13.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-10 18:15
Modified
2024-11-21 06:22
Severity ?
Summary
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B6CCB4A9-307F-453C-A13D-968CA153F2EA",
"versionEndExcluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
{
"lang": "es",
"value": "btcpayserver, es vulnerable a una neutralizaci\u00f3n inapropiada de la entrada durante la generaci\u00f3n de la p\u00e1gina web (\"Cross-site Scripting\")"
}
],
"id": "CVE-2021-3646",
"lastModified": "2024-11-21T06:22:04.070",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 1.5,
"impactScore": 3.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-10T18:15:22.527",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-26 09:15
Modified
2024-11-21 06:22
Severity ?
Summary
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3501CC28-53A0-49E2-86DB-05B5AB41747F",
"versionEndIncluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
{
"lang": "es",
"value": "btcpayserver es vulnerable a una Neutralizaci\u00f3n Inapropiada de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web (\"Cross-site Scripting\")"
}
],
"id": "CVE-2021-3830",
"lastModified": "2024-11-21T06:22:33.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-26T09:15:09.843",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-26 23:15
Modified
2024-11-21 07:37
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "10680F85-A173-4539-965D-2181DC3C4347",
"versionEndExcluding": "1.7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.\n\n"
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n incorrecta de elementos especiales equivalentes en el repositorio de GitHub btcpayserver/btcpayserver antes de 1.7.5."
}
],
"id": "CVE-2023-0493",
"lastModified": "2024-11-21T07:37:17.177",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-26T23:15:15.920",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171732/BTCPay-Server-1.7.4-HTML-Injection.html"
},
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4545/commits/02070d65836cd24627929b3403efbae8de56039a"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3a73b45c-6f3e-4536-a327-cdfdbc59896f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/171732/BTCPay-Server-1.7.4-HTML-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4545/commits/02070d65836cd24627929b3403efbae8de56039a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3a73b45c-6f3e-4536-a327-cdfdbc59896f"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-76"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-05 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5050DF6F-E9D9-411A-94E4-8B3C96EDB32C",
"versionEndIncluding": "1.0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key."
},
{
"lang": "es",
"value": "BTCPay Server versiones hasta 1.0.7.0, usa un m\u00e9todo d\u00e9bil Next para producir valores pseudoaleatorios para generar una clave API heredada"
}
],
"id": "CVE-2021-29245",
"lastModified": "2024-11-21T06:00:52.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T13:15:07.583",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-05 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters to upload the file outside of the restricted directory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5050DF6F-E9D9-411A-94E4-8B3C96EDB32C",
"versionEndIncluding": "1.0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters to upload the file outside of the restricted directory."
},
{
"lang": "es",
"value": "BTCPay Server versiones hasta 1.0.7.0, sufre un salto de directorio, permitiendo a un atacante con privilegios de administrador lograr una ejecuci\u00f3n de c\u00f3digo.\u0026#xa0;El atacante debe crear un archivo plugin malicioso con caracteres especiales para cargar el archivo fuera del directorio restringido"
}
],
"id": "CVE-2021-29246",
"lastModified": "2024-11-21T06:00:52.507",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T13:15:07.650",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-05 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5050DF6F-E9D9-411A-94E4-8B3C96EDB32C",
"versionEndIncluding": "1.0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie."
},
{
"lang": "es",
"value": "BTCPay Server versiones hasta 1.0.7.0, podr\u00eda permitir a un atacante remoto obtener informaci\u00f3n confidencial, causado por un fallo para ajustar el flag HTTPOnly para una cookie"
}
],
"id": "CVE-2021-29247",
"lastModified": "2024-11-21T06:00:52.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T13:15:07.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-05 13:15
Modified
2024-11-21 06:00
Severity ?
Summary
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| cve@mitre.org | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btcpayserver/btcpayserver/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5050DF6F-E9D9-411A-94E4-8B3C96EDB32C",
"versionEndIncluding": "1.0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie."
},
{
"lang": "es",
"value": "BTCPay Server versiones hasta 1.0.7.0, podr\u00eda permitir a un atacante remoto obtener informaci\u00f3n confidencial, causada por un fallo en el ajuste de la Secure flag para una cookie"
}
],
"id": "CVE-2021-29248",
"lastModified": "2024-11-21T06:00:52.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-05T13:15:07.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-311"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-31 22:15
Modified
2024-11-21 07:07
Severity ?
Summary
BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| btcpayserver | btcpay_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8195AB97-8ABD-4422-81E8-8D0D4B97268A",
"versionEndIncluding": "1.5.3",
"versionStartIncluding": "1.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn\u0027t using the internal lightning node, the credentials of a lightning node are exposed."
},
{
"lang": "es",
"value": "BTCPay Server v1.3.0 a v1.5.3 permite a un atacante remoto obtener informaci\u00f3n confidencial cuando se expone una aplicaci\u00f3n de punto de venta p\u00fablica. La informaci\u00f3n confidencial, que se encuentra en el c\u00f3digo fuente HTML, incluye el xpub de la tienda. Adem\u00e1s, si la tienda no utiliza el nodo Lightning interno, las credenciales de un nodo Lightning quedan expuestas."
}
],
"id": "CVE-2022-32984",
"lastModified": "2024-11-21T07:07:21.393",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-31T22:15:08.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2021-29245
Vulnerability from cvelistv5
Published
2021-05-05 12:25
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:25:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29245",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server through 1.0.7.0 uses a weak method Next to produce pseudo-random values to generate a legacy API key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29245",
"datePublished": "2021-05-05T12:25:34",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3830
Vulnerability from cvelistv5
Published
2021-09-26 08:15
Modified
2024-08-03 17:09
Severity ?
EPSS score ?
Summary
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | x_refsource_MISC | |
| https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| btcpayserver | btcpayserver/btcpayserver |
Version: unspecified < 1.2.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "btcpayserver/btcpayserver",
"vendor": "btcpayserver",
"versions": [
{
"lessThan": "1.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-26T08:15:14",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8"
}
],
"source": {
"advisory": "0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3830",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "btcpayserver/btcpayserver",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.2.3"
}
]
}
}
]
},
"vendor_name": "btcpayserver"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
},
{
"name": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8"
}
]
},
"source": {
"advisory": "0fcdee5f-1f07-47ce-b650-ea8b4a7d35d8",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3830",
"datePublished": "2021-09-26T08:15:14",
"dateReserved": "2021-09-26T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29249
Vulnerability from cvelistv5
Published
2021-03-26 22:20
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/btcpay-server-1-0-6-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-26T22:20:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server before 1.0.6.0, when the payment button is used, has a privacy vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/btcpay-server-1-0-6-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29249",
"datePublished": "2021-03-26T22:20:08",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29250
Vulnerability from cvelistv5
Published
2021-05-05 12:26
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:26:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server through 1.0.7.0 suffers from a Stored Cross Site Scripting (XSS) vulnerability within the POS Add Products functionality. This enables cookie stealing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29250",
"datePublished": "2021-05-05T12:26:01",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3646
Vulnerability from cvelistv5
Published
2021-09-10 18:02
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613 | x_refsource_CONFIRM | |
| https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| btcpayserver | btcpayserver/btcpayserver |
Version: unspecified < 1.2.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "btcpayserver/btcpayserver",
"vendor": "btcpayserver",
"versions": [
{
"lessThan": "1.2.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T18:02:50",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
}
],
"source": {
"advisory": "32e30ecf-31fa-45f6-8552-47250ef0e613",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in btcpayserver/btcpayserver",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3646",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Reflected in btcpayserver/btcpayserver"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "btcpayserver/btcpayserver",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.2.3"
}
]
}
}
]
},
"vendor_name": "btcpayserver"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/32e30ecf-31fa-45f6-8552-47250ef0e613"
},
{
"name": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/commit/fc4e47cec608cc3dba24b19d0145ac69320b975e"
}
]
},
"source": {
"advisory": "32e30ecf-31fa-45f6-8552-47250ef0e613",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3646",
"datePublished": "2021-09-10T18:02:50",
"dateReserved": "2021-07-14T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29246
Vulnerability from cvelistv5
Published
2021-05-05 12:25
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters to upload the file outside of the restricted directory.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters to upload the file outside of the restricted directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:25:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29246",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server through 1.0.7.0 suffers from directory traversal, which allows an attacker with admin privileges to achieve code execution. The attacker must craft a malicious plugin file with special characters to upload the file outside of the restricted directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29246",
"datePublished": "2021-05-05T12:25:43",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0879
Vulnerability from cvelistv5
Published
2023-02-17 00:00
Modified
2024-08-02 05:24
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| btcpayserver | btcpayserver/btcpayserver |
Version: unspecified < 1.7.12 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/9464e3c6-961d-4e23-8b3d-07cbb31de541"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4635/commits/f2f3b245c4d8980d8e54e4708c796df82332c3d7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "btcpayserver/btcpayserver",
"vendor": "btcpayserver",
"versions": [
{
"lessThan": "1.7.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.\u003c/p\u003e"
}
],
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository btcpayserver/btcpayserver prior to 1.7.12.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T07:21:01.577Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/9464e3c6-961d-4e23-8b3d-07cbb31de541"
},
{
"url": "https://github.com/btcpayserver/btcpayserver/pull/4635/commits/f2f3b245c4d8980d8e54e4708c796df82332c3d7"
}
],
"source": {
"advisory": "9464e3c6-961d-4e23-8b3d-07cbb31de541",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in btcpayserver/btcpayserver",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0879",
"datePublished": "2023-02-17T00:00:00",
"dateReserved": "2023-02-17T00:00:00",
"dateUpdated": "2024-08-02T05:24:34.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29251
Vulnerability from cvelistv5
Published
2021-04-01 04:42
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker use cases in which a mail server is configured.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1 | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings \u003e Policies). This affects Docker use cases in which a mail server is configured."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:14:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings \u003e Policies). This affects Docker use cases in which a mail server is configured."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases/tag/v1.0.7.1"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29251",
"datePublished": "2021-04-01T04:42:18",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1149
Vulnerability from cvelistv5
Published
2023-03-02 00:00
Modified
2024-08-02 05:40
Severity ?
EPSS score ?
Summary
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| btcpayserver | btcpayserver/btcpayserver |
Version: unspecified < 1.8.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:40:57.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "btcpayserver/btcpayserver",
"vendor": "btcpayserver",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-76",
"description": "CWE-76 Improper Neutralization of Equivalent Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T00:00:00",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"
},
{
"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"
}
],
"source": {
"advisory": "2e734209-d7b0-4f57-a8be-c65c82208f2f",
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1149",
"datePublished": "2023-03-02T00:00:00",
"dateReserved": "2023-03-02T00:00:00",
"dateUpdated": "2024-08-02T05:40:57.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-0493
Vulnerability from cvelistv5
Published
2023-01-26 00:00
Modified
2024-08-02 05:10
Severity ?
EPSS score ?
Summary
Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| btcpayserver | btcpayserver/btcpayserver |
Version: unspecified < 1.7.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/3a73b45c-6f3e-4536-a327-cdfdbc59896f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/pull/4545/commits/02070d65836cd24627929b3403efbae8de56039a"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171732/BTCPay-Server-1.7.4-HTML-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "btcpayserver/btcpayserver",
"vendor": "btcpayserver",
"versions": [
{
"lessThan": "1.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-76",
"description": "CWE-76 Improper Neutralization of Equivalent Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T07:22:20.882Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/3a73b45c-6f3e-4536-a327-cdfdbc59896f"
},
{
"url": "https://github.com/btcpayserver/btcpayserver/pull/4545/commits/02070d65836cd24627929b3403efbae8de56039a"
},
{
"url": "http://packetstormsecurity.com/files/171732/BTCPay-Server-1.7.4-HTML-Injection.html"
}
],
"source": {
"advisory": "3a73b45c-6f3e-4536-a327-cdfdbc59896f",
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0493",
"datePublished": "2023-01-26T00:00:00",
"dateReserved": "2023-01-25T00:00:00",
"dateUpdated": "2024-08-02T05:10:56.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29248
Vulnerability from cvelistv5
Published
2021-05-05 12:25
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:25:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29248",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29248",
"datePublished": "2021-05-05T12:25:55",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-29247
Vulnerability from cvelistv5
Published
2021-05-05 12:25
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btcpayserver/btcpayserver/releases | x_refsource_MISC | |
| https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T12:25:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29247",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btcpayserver/btcpayserver/releases",
"refsource": "MISC",
"url": "https://github.com/btcpayserver/btcpayserver/releases"
},
{
"name": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/",
"refsource": "MISC",
"url": "https://blog.btcpayserver.org/vulnerability-disclosure-v1-0-7-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29247",
"datePublished": "2021-05-05T12:25:49",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-32984
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2024-08-03 07:54
Severity ?
EPSS score ?
Summary
BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:54:03.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn\u0027t using the internal lightning node, the credentials of a lightning node are exposed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-31T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.btcpayserver.org/btcpay-server-cve-2022-32984/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-32984",
"datePublished": "2023-01-31T00:00:00",
"dateReserved": "2022-06-10T00:00:00",
"dateUpdated": "2024-08-03T07:54:03.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}