Csweb
Monthly
Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.
Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.
Census CSWeb 8.0.1 contains a path traversal vulnerability (CWE-22) allowing authenticated remote attackers to access arbitrary files outside intended directories through unvalidated file path input. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing exploitation risk. With a CVSS score of 8.8 and low attack complexity requiring only low-level privileges, this poses a critical threat to organizations running the affected version.
Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.
Census CSWeb 8.0.1 contains a stored cross-site scripting (XSS) vulnerability in user-supplied fields that allows authenticated attackers to inject and persist malicious JavaScript code, which executes when victims access affected pages in their browsers. The vulnerability affects CSWeb versions prior to 8.1.0 alpha, and a public proof-of-concept exploit is available on GitHub, increasing real-world exploitation risk. While the CVSS score of 4.6 reflects moderate severity, the combination of authenticated access requirement, user interaction dependency, and published exploit code suggests this poses a meaningful but contained threat to Census CSWeb deployments.
Census CSWeb 8.0.1 contains an arbitrary file upload vulnerability allowing authenticated remote attackers to upload malicious files and achieve remote code execution. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing the risk of exploitation. The vulnerability affects the Census CSWeb data dissemination platform used for hosting census and survey data online.
Census CSWeb 8.0.1 contains a path traversal vulnerability (CWE-22) allowing authenticated remote attackers to access arbitrary files outside intended directories through unvalidated file path input. A public proof-of-concept exploit is available on GitHub (hx381/cspro-exploits), significantly increasing exploitation risk. With a CVSS score of 8.8 and low attack complexity requiring only low-level privileges, this poses a critical threat to organizations running the affected version.