Lucene search
K

63 matches found

Github Security Blog
Github Security Blog
added 2025/05/30 3:30 p.m.14 views

Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server

Summary A security vulnerability has been identified in go-gh where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. Details The GitHub CLI and CLI...

9.8CVSS7.6AI score0.00429EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/23 5:38 a.m.8 views

CVE-2023-26051

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated...

6.5CVSS6.6AI score0.00817EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/08 6:19 p.m.19 views

CVE-2025-46736

Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds a...

5.3CVSS7AI score0.00306EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/01 11:12 p.m.7 views

CVE-2025-46552

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

6.3CVSS6.4AI score0.00317EPSS
Exploits0References1
NVD
NVD
added 2025/04/29 11:16 p.m.32 views

CVE-2025-46552

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

6.3CVSS0.00317EPSS
Exploits0References2
OSV
OSV
added 2025/04/29 10:13 p.m.4 views

CVE-2025-46552 KHC-INVITATION-AUTOMATION Sensitive User Information Leakage in Invitation Automation

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

6.3CVSS6.5AI score0.00317EPSS
Exploits0References2
Veracode
Veracode
added 2025/04/17 5:45 a.m.12 views

Account Enumeration

shopware/core is vulnerable to Account Enumeration. The vulnerability is due to differing API responses that reveal whether an email address is associated with an account, allowing attackers to infer user registration status...

6.9CVSS6.6AI score0.00347EPSS
Exploits1References6Affected Software2
Veracode
Veracode
added 2025/04/04 4:51 a.m.14 views

Sensitive Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to improper error handling due to sensitive data being exposed in API responses when a ValidationError is triggered in flows using the "Webhook" trigger and "Data of Last Operation" response body...

8.6CVSS6.5AI score0.00505EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/05 6:17 a.m.12 views

CVE-2024-5133

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which...

9.1CVSS8AI score0.00543EPSS
Exploits1References1
NVD
NVD
added 2025/01/21 4:15 p.m.27 views

CVE-2025-24011

Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and...

5.3CVSS0.01451EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2024/10/24 9:25 p.m.22 views

CVE-2024-49358 ZimaOS vulnerable to Username Enumeration via API Responses

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

5.3CVSS5.3AI score0.00463EPSS
Exploits1References2
Cvelist
Cvelist
added 2024/10/24 9:25 p.m.22 views

CVE-2024-49358 ZimaOS vulnerable to Username Enumeration via API Responses

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

5.3CVSS0.00463EPSS
Exploits1References2
CVE
CVE
added 2024/10/24 9:25 p.m.87 views

CVE-2024-49358

ZimaOS (fork of CasaOS) prior to and including 1.2.4 is affected by CVE-2024-49358 due to an API behavior at /v1/users/login that reveals whether a username exists, enabling username enumeration. This is a network-facing issue with CVSS 5.3 (MEDIUM); no patched versions are publicly available per...

5.3CVSS5.2AI score0.00463EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2024/06/06 7:16 p.m.29 views

CVE-2024-5133

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which...

9.1CVSS0.00543EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/06/06 6:21 p.m.14 views

CVE-2024-5133 Account Takeover via Exposed Recovery Token in lunary-ai/lunary

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which...

9.1CVSS6.8AI score0.00543EPSS
Exploits1References1
CVE
CVE
added 2024/06/06 6:21 p.m.79 views

CVE-2024-5133

CVE-2024-5133 affects lunary-ai/lunary v1.2.4, where the password recovery token (recovery_token) is exposed in API responses for GET /v1/users/me/org, listing all users in a team. Any authenticated user could capture another user’s recovery token and change their password, enabling account takeo...

9.1CVSS8.7AI score0.00543EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2024/06/06 6:21 p.m.31 views

CVE-2024-5133 Account Takeover via Exposed Recovery Token in lunary-ai/lunary

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which...

9.1CVSS0.00543EPSS
Exploits1References1
NVD
NVD
added 2023/04/19 4:15 p.m.36 views

CVE-2023-22894

Strapi through 4.5.5 allows attackers with access to the admin panel to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then th...

9.8CVSS5AI score0.01658EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2023/03/02 12:0 a.m.9 views

PT-2023-20452 · Saleor · Saleor

Name of the Vulnerable Software and Affected Versions: Saleor versions prior to 3.1.48 Saleor versions prior to 3.7.59 Saleor versions prior to 3.8.0 Saleor versions prior to 3.9.27 Saleor versions prior to 3.10.14 Saleor versions prior to 3.11.12 Description: Some internal Python exceptions are...

5.3CVSS5.1AI score0.00751EPSS
Exploits0References12
OSV
OSV
added 2022/10/19 4:15 p.m.14 views

CVE-2022-43420

Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control or modify Contrast service API responses...

5.4CVSS5.3AI score
Exploits0References2
Rows per page
Query Builder