CVEbaza.plSłownik CWECWE-1104
Common Weakness Enumeration

CWE-1104

Use of Unmaintained Third Party Components

Kategoria: BaseCVE: 21
Opis

Produkt opiera się na komponentach trzecich stron, które nie są aktywnie wspierane lub utrzymywane przez pierwotnego twórcę lub zaufanego pośrednika. Może to prowadzić do luk bezpieczeństwa i problemów z kompatybilnością.

Description (EN)

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Podatności CVE z CWE-1104 (21)
10.0
CVSS
CRITICAL
CVE-2025-12104

Urządzenia Azure-Access BLU-IC2 oraz BLU-IC4 zawierają przestarzałe i podatne komponenty interfejsu użytkownika (UI dependencies), które mogą zostać wykorzystane przez atakującego. Podatność otrzymała maksymalny wynik CVSS 10.0, co klasyfikuje ją jako krytyczną.

pub. 2025-10-23
9.8
CVSS
CRITICAL
CVE-2025-40906

BSON::XS w wersjach 0.8.4 i wcześniejszych dla Perl zawiera dołączoną bibliotekę libbson 1.1.7, która posiada wiele znanych podatności krytycznych. Komponent ten jest szczególnie niebezpieczny, ponieważ dystrybucja osiągnęła koniec życia (end of life) w sierpniu 2020 roku i nie otrzymuje już żadnych aktualizacji bezpieczeństwa.

pub. 2025-05-16
9.8
CVSS
CRITICAL
CVE-2023-7102

Podatność w urządzeniach Barracuda Email Security Gateway (ESG) wynika z użycia podatnej biblioteki zewnętrznej (Spreadsheet-ParseExcel) i umożliwia atak typu parameter injection. Oceniona jako krytyczna (CVSS 9.8), pozwala nieuwierzytelnionemu atakującemu na zdalne przejęcie kontroli nad urządzeniem.

pub. 2023-12-24
9.3
CVSS
CRITICAL
CVE-2026-41468

Aplikacja SicuroWeb produktu Beghelli Sicuro24 osadza przestarzałą wersję AngularJS 1.5.2 (end-of-life) i zawiera podatność na template injection, co razem umożliwia atakującemu ucieczkę z sandbox AngularJS i wykonanie dowolnego kodu JavaScript w przeglądarce operatora. Podatność jest krytyczna, ponieważ pozwala na przejęcie sesji i trwałe skompromitowanie przeglądarki.

pub. 2026-04-22
9.3
CVSS
CRITICAL
CVE-2025-34192

Vasion Print (dawniej PrinterLogic) w wersjach Virtual Appliance Host poniżej 22.0.893 oraz Application poniżej 20.0.2140 (macOS/Linux) jest zbudowany z użyciem biblioteki OpenSSL 1.0.2h-fips z maja 2016 roku, której wsparcie zakończono w 2019 roku. Stosowanie niezałatanej, przestarzałej biblioteki kryptograficznej znacząco osłabia poziom bezpieczeństwa wdrożeń.

pub. 2025-09-19
9.3
CVSS
CRITICAL
CVE-2025-10220

Podatność w systemie Axxon One VMS wynika z użycia niezaktualizowanych, podatnych bibliotek NuGet. Umożliwia zdalnemu, nieuwierzytelnionemu atakującemu wykonanie dowolnego kodu lub ominięcie mechanizmów bezpieczeństwa.

pub. 2025-09-10
8.8
CVSS
HIGH
CVE-2024-8885

A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2024.2.0 and older allows writing of arbitrary files.

pub. 2024-10-02
8.8
CVSS
HIGH
CVE-2022-46871

An out of date library (libusrsctp) contained vulnerabilities that could potentially be exploited. This vulnerability affects Firefox < 108.

pub. 2022-12-22
8.7
CVSS
HIGH
CVE-2025-3497

The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product.

pub. 2025-07-09
8.7
CVSS
HIGH
CVE-2024-11999

CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

pub. 2024-12-17
8.5
CVSS
HIGH
CVE-2025-20010

Use of unmaintained third party components for some Intel(R) Processor Identification Utility before version 8.0.43 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

pub. 2025-11-11
8.3
CVSS
HIGH
CVE-2026-21821

The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.

pub. 2026-05-13
7.7
CVSS
HIGH
CVE-2023-37524

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.

pub. 2026-06-27
7.5
CVSS
HIGH
CVE-2024-35252

Azure Storage Movement Client Library Denial of Service Vulnerability

pub. 2024-06-11
7.1
CVSS
HIGH
CVE-2025-34193

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 include Windows client components (PrinterInstallerClientInterface.exe, PrinterInstallerClient.exe, PrinterInstallerClientLauncher.exe) that lack modern compile-time and runtime exploit mitigations and rely on outdated runtimes. These binaries are built as 32-bit, without Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Control Flow Guard (CFG), or stack-protection, and they incorporate legacy technologies (Pascal/Delphi and Python 2) which are no longer commonly maintained. Several of these processes run with elevated privileges (NT AUTHORITY\SYSTEM for PrinterInstallerClient.exe and PrinterInstallerClientLauncher.exe), and the client automatically downloads and installs printer drivers. The absence of modern memory safety mitigations and the use of unmaintained runtimes substantially increase the risk that memory-corruption or other exploit primitives — for example from crafted driver content or maliciously crafted inputs — can be turned into remote or local code execution and privilege escalation to SYSTEM. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.

pub. 2025-09-19
7.1
CVSS
HIGH
CVE-2025-48862

Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains unencrypted.

pub. 2025-08-14
6.6
CVSS
MEDIUM
CVE-2021-22142

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

pub. 2023-11-22
6.5
CVSS
MEDIUM
CVE-2024-21631

Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. An attacker may use this behavior to trick the application into accepting a URL to an untrusted destination. By padding the port number with zeros, an attacker can cause an integer overflow to occur when the URL authority is parsed and, as a result, spoof the host. Version 4.90.0 contains a patch for this issue. As a workaround, validate user input before parsing as a URI or, if possible, use Foundation's `URL` and `URLComponents` utilities.

pub. 2024-01-03
3.5
CVSS
LOW
CVE-2025-52658

HCL MyXalytics jest podatny na użycie słabych/nieaktualnych wersji, które mogą narażać aplikację na znane zagrożenia bezpieczeństwa, które można wykorzystać.

pub. 2025-10-03
2.6
CVSS
LOW
CVE-2025-55277

HCL Aftermarket DPC jest zagrożony podatnością związaną z używaniem starych, podatnych wersji, które pozwalają atakującemu na wykorzystanie publicznie dostępnych exploitów do przeprowadzenia ataków na aplikację.

pub. 2026-03-26
Pokazano 20 z 21 podatności
Informacje
ID: CWE-1104
Typ: Base
Podatności: 21
MITRE CWE ↗
← Słownik CWE