Advisories for Golang/Github.com/Argoproj/Argo-Cd/V3 package

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. Component: Project API (/api/v1/projects/{project}/detailed)

This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with permission to edit the repository. In ui/src/app/shared/components/urls.ts, the following code exists to parse the repository URL.