Skip to main content

Secret Server

17 CVEs product

Monthly

CVE-2025-12810 MEDIUM This Month

Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. [CVSS 6.5 MEDIUM]

Authentication Bypass Secret Server
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-12908 HIGH POC This Week

Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Code Injection RCE Secret Server
NVD
CVSS 3.1
8.3
EPSS
0.7%
CVE-2024-33891 HIGH POC This Week

Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Secret Server
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-25653 MEDIUM This Month

Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secret Server
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-25652 HIGH This Week

In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secret Server
NVD
CVSS 3.1
8.4
EPSS
0.6%
CVE-2024-25651 MEDIUM This Month

User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Secret Server
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-25649 MEDIUM This Month

In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key,. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Secret Server
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2024-25650 MEDIUM This Month

Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Microsoft Distributed Engine Secret Server
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2023-4589 HIGH This Week

Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Secret Server
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2023-4588 MEDIUM This Month

File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Secret Server
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2021-41845 MEDIUM This Month

A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Secret Server
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2019-18357 MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-18356 MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-18355 CRITICAL Act Now

An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Secret Server
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2017-11725 MEDIUM This Month

The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect Secret Server
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2015-3443 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Secret Server
NVD Exploit-DB
CVSS 2.0
3.5
EPSS
1.6%
CVE-2015-4094 MEDIUM This Month

The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Apple Information Disclosure Secret Server
NVD
CVSS 2.0
5.8
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules).This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. [CVSS 6.5 MEDIUM]

Authentication Bypass Secret Server
NVD
EPSS 1% CVSS 8.3
HIGH POC This Week

Delinea addressed a reported case on Secret Server v11.7.31 (protocol handler version 6.0.3.26) where, within the protocol handler function, URI's were compared before normalization and. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Code Injection RCE Secret Server
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Secret Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secret Server
NVD
EPSS 1% CVSS 8.4
HIGH This Week

In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Secret Server
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Secret Server
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key,. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Secret Server
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Microsoft Distributed Engine +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Insufficient verification of data authenticity vulnerability in Delinea Secret Server, in its v10.9.000002 version. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Secret Server
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Secret Server
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Secret Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Secret Server
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Secret Server
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect Secret Server
NVD
EPSS 2% CVSS 3.5
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Secret Server
NVD Exploit-DB
EPSS 0% CVSS 5.8
MEDIUM This Month

The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Apple Information Disclosure Secret Server
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy