42 matches found
EUVD-2024-46384
Malicious code in bioql PyPI...
EUVD-2024-42543
Malicious code in bioql PyPI...
EUVD-2024-27856
Malicious code in bioql PyPI...
CVE-2024-5127
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...
CVE-2024-2913
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...
CVE-2024-10359
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of...
CVE-2024-47610 Stored Cross-site Scripting Vulnerability in Markdown Editor
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...
CVE-2024-47610
The CVE-2024-47610 issue affects InvenTree before 0.16.5, where a registered user can store JavaScript in Markdown notes fields that are rendered for other logged-in users, enabling stored cross-site scripting (XSS). Root cause: lack of input sanitization in the Markdown rendering path and storag...
CVE-2024-5127
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...
CVE-2024-5127
CVE-2024-5127 affects lunary-ai/lunary versions 1.2.2–1.2.25 and describes an improper access-control vulnerability in the Team feature. The backend does not validate whether a user has paid for a plan before allowing invites with roles, enabling Free-plan users to invite members and assign roles...
CVE-2024-5127 Improper Access Control in lunary-ai/lunary
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...
CVE-2024-5127 Improper Access Control in lunary-ai/lunary
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...
PT-2024-34584 · Lunary · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions 1.2.2 through 1.2.25 Description: The issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not...
CVE-2024-2913
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...
CVE-2024-2913
CVE-2024-2913 affects mintplex-labs/anything-llm in the user invite acceptance flow. Root cause: lack of validation for concurrent requests creates a race condition that lets multiple accounts be created from a single invite link intended for one user. Impact: unauthorized user creation without d...
CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...
PT-2024-22751 · Unknown · Anything-Llm
Name of the Vulnerable Software and Affected Versions: anything-llm affected versions not specified Description: A race condition vulnerability exists in the user invite acceptance process, allowing attackers to create multiple user accounts from a single invite link by sending multiple concurren...
Account Spoofing
phpMyFAQ is vulnerable to User Account Spoofing. The vulnerability is due to the user removal page lacking backend validation, allowing an attacker to manipulate form details by intercepting the request via a proxy, which can allow an attacker to trick an admin into removing the account...
SAP ERP 信任管理问题漏洞
SAP Cloud Connector is a connector for connecting to the SAP Cloud Platform from SAP Germany. SAP Cloud Connector 2.0 suffers from a trust management issue vulnerability that stems from SAP Cloud Connector being able to communicate with the backend without sufficiently validating certificates. An...
Authentication flaw
In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter accesstoken this is the parameter used by the API. No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is...