11 matches found
PT-2026-42677
Name of the Vulnerable Software and Affected Versions NocoDB affected versions not specified Description The uploadViaURL path in the v1/v2 attachment API fails to enforce the NC ATTACHMENT FIELD SIZE limit against the remote content-length or the response stream. An authenticated user with Edito...
PT-2026-25039
Name of the Vulnerable Software and Affected Versions Asseco SEE Live 2.0 Description A local file inclusion issue exists in the Contact Plan, E-Mail, SMS, and Fax components. Remote authenticated users can access files on the host system through the path parameter in the downloadAttachment and...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the GetTaskAttachment handler in the API attachment download component. An attacker can execute arbitrary JavaScript and expose authentication tokens by uploading an SVG attachment whose crafted filename...
GHSA-263Q-5CV3-XQ9G Gitea allows attackers to add attachments with forbidden file extensions
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
Gitea allows attackers to add attachments with forbidden file extensions
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
CVE-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
CVE-2025-68939
Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API...
CVE-2023-37910 org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document can be the use...
PrestaShop file deletion via attachment API
Impact It is possible to delete a file from the server by using the Attachments controller and the Attachments API. Patches 8.1.1 Found by Kto94 via Yeswehack Workarounds none References none...
CVE-2022-35291
Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successfu...
Tangro Business Workflow 授权问题漏洞
Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. A vulnerability exists in Tangro Business Workflow prior to version 1.18.1 due to an authorization issue, which stems from a...