Lucene search
K

38 matches found

CVE
CVE
added 2025/12/17 12:0 a.m.11 views

CVE-2025-66923

Open Source Point of Sale (OSPOS) v3.4.1 contains a Cross‑Site Scripting (XSS) vulnerability in the Create/Update Customer(s) flow, exploitable via the phone_number parameter. The issue can lead to arbitrary script/HTML execution in the browser, with CVSSv3.1 base score 7.2 (HIGH) and impact on c...

7.2CVSS5.5AI score0.00465EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2025/12/17 12:0 a.m.10 views

CVE-2025-66921

CVE-2025-66921 describes a Cross-site scripting (XSS) vulnerability in the Open Source Point of Sale (OSPOS) v3.4.1, specifically in the Create/Update Item(s) Module. The issue arises from improper handling of the name parameter, allowing remote attackers to inject arbitrary web script or HTML. M...

7.2CVSS5.5AI score0.00465EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2025/10/31 8:15 p.m.7 views

CVE-2025-63562

Summer Pearl Group Vacation Rental Management Platform prior to v1.0.2 suffers from insufficient server-side authorization. Authenticated attackers can call several endpoints and perform create/update/delete actions on resources owned by arbitrary users by manipulating request parameters e.g.,...

6.3CVSS0.00178EPSS
Exploits0References1
NVD
NVD
added 2025/10/08 4:15 p.m.4 views

CVE-2025-59303

HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress...

6.4CVSS0.00238EPSS
Exploits0References1
OSV
OSV
added 2025/09/15 4:28 p.m.4 views

GHSA-JJ4J-X5WW-CWH9 Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden

Summary Certain bulk action calls with a beforetransaction hook and no aftertransaction hook, will call the beforetransaction hook before authorization is checked and a Forbidden error is returned, when called as a bulk action. The impact is that a malicious user could cause a beforetransaction t...

7.1CVSS6.8AI score0.00293EPSS
Exploits0References6
Cvelist
Cvelist
added 2025/09/08 9:17 p.m.18 views

CVE-2025-57817 Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation

Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with client:create or client:update permissions to escalate thei...

8.6CVSS0.00392EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2024/11/26 12:0 a.m.5 views

VulnCheck KEV: CVE-2021-41295

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands GET, POST, PUT, DELETE to perform arbitrary operations in the system...

8.8CVSS6AI score0.00415EPSS
Exploits1References1
OSV
OSV
added 2024/08/06 10:3 p.m.107 views

GO-2024-3023 Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server...

7.1CVSS6AI score0.00362EPSS
Exploits0References3
OSV
OSV
added 2024/08/01 3:32 p.m.11 views

GHSA-VG67-CHM7-8M3J Mattermost allows remote actor to create/update/delete posts in arbitrary channels

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels...

7CVSS6AI score0.00362EPSS
Exploits0References4
CNNVD
CNNVD
added 2024/02/29 12:0 a.m.4 views

IBM Cloud Pak for Automation Security Vulnerability

IBM Cloud Pak for Automation is an intelligent software platform for building automation applications in cloud environments from International Business Machines IBM. The platform uses pre-integrated automation technologies and low-code tools to design, build and run automated applications and...

6.5CVSS6.8AI score0.00341EPSS
Exploits0References3
OSV
OSV
added 2024/02/21 4:15 p.m.5 views

CVE-2022-45179

An issue was discovered in LIVEBOX Collaboration vDesk through v031. A basic XSS vulnerability exists under the /api/v1/vdeskintegration/todo/createorupdate endpoint via the title parameter and /dashboard/reminders. A remote user authenticated to the product can store arbitrary HTML code in the...

5.4CVSS6AI score0.00397EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2023/07/24 12:0 a.m.4 views

PT-2023-26272 · Otrs +2 · Otrs +3

Name of the Vulnerable Software and Affected Versions: OTRS versions 7.0.X through 7.0.44 OTRS versions 8.0.X through 8.0.34 OTRS Community Edition versions 6.0.1 through 6.0.34 Description: The issue is related to an Improper Input Validation vulnerability in the ContentType parameter for...

9.8CVSS6.3AI score0.99019EPSS
Exploits18References92
OSV
OSV
added 2023/07/19 10:11 p.m.19 views

GHSA-9436-3GMP-4F53 grav Server-side Template Injection (SSTI) mitigation bypass

Summary The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction, which allows to execute the payload prepending double backslash \ Details The isDangerousFunction check in...

7.2CVSS8AI score0.02259EPSS
Exploits1References5
OSV
OSV
added 2023/01/09 5:15 p.m.4 views

CVE-2022-46258

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability...

6.5CVSS5.8AI score0.0056EPSS
Exploits0References4
Cvelist
Cvelist
added 2022/06/16 5:46 p.m.22 views

CVE-2022-31294

An issue in the saveusers function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily create or update user accounts...

6.8AI score0.00818EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2022/01/06 4:15 p.m.4 views

CVE-2021-46075

A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations...

7.2CVSS7.1AI score0.02616EPSS
Exploits2References3
OSV
OSV
added 2021/01/11 10:15 p.m.4 views

CVE-2021-0317

In createOrUpdate of Permission.java and related code, there is possible permission escalation due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10...

7.8CVSS6.7AI score0.002EPSS
Exploits0References1
CNVD
CNVD
added 2020/11/17 12:0 a.m.8 views

IBM Cognos Controller Elevation of Privilege Vulnerability

IBM Cognos Controller is a suite of business intelligence and planning solutions from IBM in the United States. The product features process automation, financial audit control, and the creation and management of financial reports. IBM Cognos Controller suffers from a security vulnerability that...

8CVSS6.9AI score0.01428EPSS
Exploits0References1
Rows per page
Query Builder