344 matches found
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via an anonymously accessible endpoint that reveals details about configured password requirements. An attacker can gain insight into password policy information...
CVE-2025-24012
Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 conta...
CVE-2024-45278
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting XSS vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application...
CVE-2024-34071
Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in versions 8.18.14,...
CVE-2024-35218
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting XSS enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in versions 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementi...
CVE-2023-38694
Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain ...
CVE-2022-32118
Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting XSS vulnerability via the dispatchcategory parameter in backoffice.inc.php...
CVE-2020-6302
SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session...
CVE-2019-13957
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter...
CVE-2005-3397
Cross-site scripting XSS vulnerability in Comersus BackOffice allows remote attackers to inject arbitrary web script or HTML via the error parameter to comersusbackofficesupportError.asp. NOTE: the comersusbackofficemessage.asp/message vector is already covered by CVE-2005-2191 item 2...
CVE-2005-3285
Cross-site scripting XSS vulnerability in comersusbackofficesearchItemForm.asp in Comersus BackOffice Plus allows remote attackers to inject arbitrary web script or HTML via the 1 forwardTo1, 2 forwardTo2, 3 nameFT1, or 4 nameFT2 parameters...
CVE-1999-0372
The installer for BackOffice Server includes account names and passwords in a setup file reboot.ini which is not deleted...
CVE-2025-40635
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint...
CVE-2025-40635 SQL injection at Comerzzia
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint...
CVE-2025-40635 SQL injection at Comerzzia
SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint...
CVE-2025-40635
CVE-2025-40635 affects Comerzzia Backoffice: Sales Orchestrator 3.0.15. A SQL injection in /comerzzia/login via uidActivity, codCompany, and uidInstance can expose full database access (retrieve, create, update, delete). Base score 9.3 (CRITICAL) per CVSS v4.0; network attack, no authentication, ...
Comerzzia Backoffice SQL注入漏洞
Comerzzia Backoffice is a modular retail platform from Comerzzia. A SQL injection vulnerability exists in Comerzzia Backoffice version 3.0.15, which stems from unfiltered uidActivity, codCompany, and uidInstance parameters, and could lead to SQL injection attacks...
PT-2025-22133 · Unknown · Comerzzia Backoffice: Sales Orchestrator
Name of the Vulnerable Software and Affected Versions: Comerzzia Backoffice: Sales Orchestrator version 3.0.15 Description: The issue allows an attacker to retrieve, create, update, and delete databases via the uidActivity, codCompany, and uidInstance parameters of the "/comerzzia/login" endpoint...
Malicious code in odin-backoffice-starter-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2982abf6f95afddda54146444463c8334c7677ea0b5d8fb203c536dc54470188 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Incorrect Authorization
Umbraco.Cms.Web.Backoffice is vulnerable to Incorrect Authorization. The vulnerability is due to improper access control due to manipulation of backoffice API URLs, allowing authenticated users to retrieve or delete restricted content...