Lucene search
K

28 matches found

ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-50283

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...

5.3CVSS5.8AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/27 5:17 p.m.6 views

GHSA-WC7J-G8WX-M2QX Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...

8.1CVSS6AI score0.00141EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/27 5:17 p.m.9 views

Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...

6AI score0.00141EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.11 views

PT-2026-44148

Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...

8.1CVSS6AI score0.00141EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/21 10:14 p.m.3 views

CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/21 10:14 p.m.32 views

CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS0.00115EPSS
Exploits1References2
CVE
CVE
added 2026/04/21 10:14 p.m.15 views

CVE-2026-40928

WWBN AVideo (versions ≤ 29.0) exposes state-changing JSON endpoints under objects/ without CSRF protection or origin/referer checks. A logged-in user can be coerced to perform actions via attacker-controlled HTML: like/dislike comments (objects/comments_like.json.php), post comments with attacker...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/21 10:14 p.m.5 views

EUVD-2026-24523

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2
OSV
OSV
added 2026/04/14 11:12 p.m.6 views

GHSA-X2PW-9C38-CP2J WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

Summary Multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently: 1. Cast/flip the...

5.4CVSS5.9AI score0.00115EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/14 11:12 p.m.9 views

WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

Summary Multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently: 1. Cast/flip the...

5.4CVSS5.9AI score0.00115EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/02 9:32 p.m.4 views

EUVD-2026-18544

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete...

6.9CVSS5.9AI score0.00281EPSS
Exploits0References4
NVD
NVD
added 2026/04/02 8:16 p.m.3 views

CVE-2026-35383

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete...

6.9CVSS0.00281EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/02 7:4 p.m.14 views

CVE-2026-35383 Bentley Systems iTwin Platform exposed access token

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete...

6.9CVSS0.00281EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/02 7:4 p.m.1 views

CVE-2026-35383 Bentley Systems iTwin Platform exposed access token

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete...

6.9CVSS5.8AI score0.00281EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/02 7:4 p.m.1 views

CVE-2026-35383

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete...

6.9CVSS5.9AI score0.00281EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.6 views

Bentley Systems iTwin Platform 安全漏洞

Bentley Systems iTwin Platform is a digital twin cloud platform developed by Bentley Systems. It supports infrastructure data modeling and full-lifecycle management. There is a security vulnerability in Bentley Systems iTwin Platform, which stems from exposed access tokens in the web page source...

6.9CVSS5.8AI score0.00281EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.2 views

EUVD-2021-12028

Malware in sbrugna...

6.5CVSS6.4AI score0.00408EPSS
Exploits2References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2007-0627

Malware in sbrugna...

6.4CVSS6.4AI score0.01377EPSS
Exploits0References7
OSV
OSV
added 2024/03/06 10:58 a.m.16 views

BIT-NEOS-2022-30429

Multiple cross-site scripting XSS vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of assets, or a workspace title. The vulnerabilities were found in versions 3.3.29 and 8.0.1 and could also ...

5.4CVSS5.5AI score0.00564EPSS
Exploits1References2
OSV
OSV
added 2022/06/13 1:15 p.m.3 views

CVE-2021-25116

The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the removeasset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put...

6.5CVSS5.9AI score0.00408EPSS
Exploits2References1
Rows per page
Query Builder