cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-9683,https://securityvulnerability.io/vulnerability/CVE-2024-9683,Truncated Passwords Can Still Pose a Risk to Password Security,"A vulnerability has been identified in Quay that allows successful user authentication even when only a truncated version of a password is used. This issue undermines the security integrity of password enforcement mechanisms, leading to potential weaknesses in the authentication process. While the standard length for passwords utilized typically reaches 73 characters, this vulnerability exploits the truncation, rendering it easier for attackers to perform brute-force or password-guessing attacks. Consequently, the overall effectiveness of password policies may be compromised, leaving systems at an increased risk of unauthorized access in the long run.",Red Hat,Red Hat Quay 3,5.3,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-10-17T14:08:57.482Z,0
CVE-2024-5891,https://securityvulnerability.io/vulnerability/CVE-2024-5891,Quay: unauthorized user may authenticate via oauth application token,"A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to.",Red Hat,Red Hat Quay 3,4.2,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-06-12T14:15:00.000Z,0
CVE-2023-4956,https://securityvulnerability.io/vulnerability/CVE-2023-4956,Quay: clickjacking on config-editor page severity,"A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.",Red Hat,"quay,Red Hat Quay 3",4.3,MEDIUM,0.0006799999973736703,false,false,false,false,,false,false,2023-11-07T20:15:00.000Z,0
CVE-2023-4959,https://securityvulnerability.io/vulnerability/CVE-2023-4959,Cross-site request forgery (csrf) on config-editor page,"A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).",Red Hat,"quay,Red Hat Quay 3",6.5,MEDIUM,0.00046999999904073775,false,false,false,false,,false,false,2023-09-15T10:15:00.000Z,0
CVE-2023-3384,https://securityvulnerability.io/vulnerability/CVE-2023-3384,Quay: stored cross site scripting,"A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is
not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS).",Red Hat,Red Hat Quay 3,5.4,MEDIUM,0.0005300000193528831,false,false,false,false,,false,false,2023-07-24T16:15:00.000Z,0
CVE-2019-3864,https://securityvulnerability.io/vulnerability/CVE-2019-3864,,"A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account.",Red Hat,Quay,5.4,MEDIUM,0.0007300000288523734,false,false,false,false,,false,false,2020-01-21T15:44:00.000Z,0
CVE-2019-10205,https://securityvulnerability.io/vulnerability/CVE-2019-10205,,A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.,Red Hat,Quay,6,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2020-01-02T16:31:53.000Z,0