343 matches found
CVE-2023-49089
Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0...
CVE-2025-66625
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500...
GHSA-X93P-W2CH-FG67 Ibexa User Bundle is missing password change validation
Impact The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in...
Account Hijacking
prestashop/pscheckout is vulnerable to Account hijacking. The vulnerability is due to the incorrect use of arraysearch in the backoffice logic, which allows an attacker to hijack the targeted PayPal merchant account...
CVE-2025-66625
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500...
CVE-2025-66625
CVE-2025-66625 affects Umbraco CMS (ASP.NET) versions 10.0.0–13.12.0. During the dictionary upload process, unsafe handling/deletion of temporary files enables a backoffice attacker to trigger predictable requests to temporary file paths, causing error responses (HTTP 500 if a file exists, 404 if...
CVE-2025-66625 Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500...
CVE-2025-66625 Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500...
CVE-2025-66625 Umbraco Vulnerable to Improper File Access and Credential Exposure through Dictionary Import Functionality
Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500...
GHSA-HFV2-PF68-M33X Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality
Impact Due to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500 when a file exists, 404 when it does not allow the...
Files or Directories Accessible to External Parties
Overview Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties in the dictionary import process. An attacker can enumerate the existence of arbitrary files on the server's filesystem and, in certain configurations, may expose the NTLM hash of the...
Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality
Impact Due to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses HTTP 500 when a file exists, 404 when it does not allow the...
PT-2025-50229
Name of the Vulnerable Software and Affected Versions Umbraco versions 10.0.0 through 13.12.0 Description Umbraco, an ASP.NET CMS, experiences an issue related to the unsafe handling and deletion of temporary files during the dictionary upload process. An attacker with backoffice access can...
Malicious code in mpesa-backoffice-ekyc-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55257288d3f483f60af585ba393105e594b34c61b2f676965ddb462c5a2ab4e6 The package mpesa-backoffice-ekyc-backend was found to contain malicious code...
EUVD-2025-44065
Malicious code in mpesa-backoffice-ekyc-backend npm...
MAL-2025-55034 Malicious code in mpesa-backoffice-ekyc-backend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55257288d3f483f60af585ba393105e594b34c61b2f676965ddb462c5a2ab4e6 The package mpesa-backoffice-ekyc-backend was found to contain malicious code...
CVE-2025-61924
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP arraysearch. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known...
CVE-2025-61923
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. N...
EUVD-2025-34788
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice...
GHSA-FPXP-PFQM-X54W PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
Impact Missing validation on input vulnerable to directory traversal. Patches The problem has been patched in versions: v4.4.1 for PrestaShop 1.7 build number: 7.4.4.1 v4.4.1 for PrestaShop 8 build number: 8.4.4.1 v5.0.5 for PrestaShop 1.7 build number: 7.5.0.5 v5.0.5 for PrestaShop 8 build numbe...