60 matches found
PT-2025-35904
Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: An SQL injection vulnerability exists that allows an attacker to retrieve, create, update, and delete the database. This is possible through the data%5BPage%5D%5Bname%5D parameter in the...
PT-2025-35905
Name of the Vulnerable Software and Affected Versions: appRain CMF version 4.0.5 Description: An SQL injection flaw exists in appRain CMF version 4.0.5. This flaw allows an attacker to retrieve, create, update, and delete the database through the data%5BPage%5D%5Bname%5D parameter in the...
CVE-2025-55742
CVE-2025-55742 concerns UnoPim, a Laravel-based open-source PIM. The vulnerability is a stored XSS in the user-creation endpoint (/admin/settings/users/create) caused by a SVG MIME/sanitizer bypass. It affects UnoPim versions before 0.2.1 and is fixed in 0.2.1. The issue arises from insufficient ...
Cross-site Scripting (XSS)
Overview express-gateway is an A microservices API gateway built on top of ExpressJS Affected versions of this package are vulnerable to Cross-site Scripting XSS due to a lack of input validation and output sanitization when handling user and application creation POST / and update PUT /:id...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the create channel subscription endpoint, which fails to check the authorization of the user. An attacker can gain unauthorized access to create channel subscriptions by making API calls...
CVE-2025-54458
Mattermost Confluence Plugin vulnerability CVE-2025-54458: versions = 1.5.0 or apply vendor-provided fix as available.
CVE-2025-54458 Unauthorized Subscription Creation to Confluence Space in Mattermost Confluence Plugin
Mattermost Confluence Plugin version 1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint...
CVE-2025-43921
GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used...
UBUNTU-CVE-2025-43921
GNU Mailman 2.1.39, as bundled in cPanel and WHM, allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to reproduce this, regardless of whether cPanel or WHM is used...
Cross-site Request Forgery (CSRF)
Overview polyaxon is a Command Line Interface CLI and client to interact with Polyaxon API. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the create endpoint. An attacker who can convince a user to follow a malicious link can cause the creation of a...
Dcat Admin 安全漏洞
Dcat Admin is a second development based on laravel-admin to build the backend system tools . A cross-site scripting vulnerability exists in Dcat Admin v2.2.0-beta, which stems from the lack of effective filtering and escaping of user-supplied data in /admin/articles/create, and can be exploited ...
PT-2024-9415 · Ollama · Ollama
Name of the Vulnerable Software and Affected Versions: Ollama versions 0.3.14 and earlier Description: The issue is related to the disclosure of system data to unauthorized individuals. It can be exploited by a remote attacker to cause a denial of service. The vulnerability allows file existence...
PT-2024-20126 · Cups Easy · Cups Easy
Name of the Vulnerable Software and Affected Versions: Cups Easy Purchase & Inventory version 1.0 Description: A Cross-Site Scripting XSS issue has been reported, where user-controlled inputs are not sufficiently encoded. This issue can be exploited via the /cupseasylive/taxstructurelinecreate.ph...
PT-2024-20134 · Cups Easy · Cups Easy
Name of the Vulnerable Software and Affected Versions: Cups Easy Purchase & Inventory version 1.0 Description: A vulnerability has been reported in Cups Easy Purchase & Inventory whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting XSS vulnerability via...
CVE-2023-3832
A vulnerability was found in Bug Finder Wedding Wonders 1.0. It has been classified as problematic. Affected is an unknown function of the file /user/ticket/create of the component Ticket Handler. The manipulation of the argument message leads to cross site scripting. It is possible to launch the...
CVE-2023-3827
A vulnerability was found in Bug Finder Listplace Directory Listing Platform 3.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /listplace/user/ticket/create of the component HTTP POST Request Handler. The manipulation of the argument message leads...
PT-2023-26357 · Unknown · Bug Finder Wedding Wonders
Name of the Vulnerable Software and Affected Versions: Bug Finder Wedding Wonders version 1.0 Description: A vulnerability was found in the Ticket Handler component, specifically in the /user/ticket/create file, where an unknown function is affected. The manipulation of the message argument leads...
PT-2023-26189 · Unknown · Bug Finder Chaincity Real Estate Investment Platform
Name of the Vulnerable Software and Affected Versions: Bug Finder ChainCity Real Estate Investment Platform version 1.0 Description: A problematic vulnerability has been found in the New Ticket Handler component of the Bug Finder ChainCity Real Estate Investment Platform. The issue affects an...
CVE-2022-3333
A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible ...
BageCMS Cross-Site Request Forgery Vulnerability
BageCMS is a cross-platform content management system CMS based on PHP and MySQL. A cross-site request forgery vulnerability exists in the index.php?r=admini/admin/create URL in BageCMS version 3.1.3. A remote attacker can exploit the vulnerability to add a backend administrator account...