60 matches found
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...
Directus 安全漏洞
Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 11.13.0 that stems from allowing authenticated users to search for sensitive fields, potentially leading to a...
EUVD-2025-38346
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times,...
CVE-2025-64492 SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times,...
EUVD-2024-39585
Malicious code in bioql PyPI...
EUVD-2022-52745
Malicious code in bioql PyPI...
EUVD-2022-6321
Malicious code in bioql PyPI...
CVE-2025-56162
CVE-2025-56162 — YOSHOP 2.0 suffers an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), enabling: (a) enumeration/modification of DB data, including potential admi...
Linux Distros Unpatched Vulnerability : CVE-2022-31088
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. In versions prior to 8.0 the user...
CVE-2025-53709 Access control issues impacting secure-upload service
Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments. Under specific circumstances, privileged users of secure-upload could have selected email templates not necessarily...
CVE-2022-24189
The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...
EulerOS 2.0 SP10 : rsync (EulerOS-SA-2025-1536)
According to the versions of the rsync package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in rsync. When using the --safe-links option, the rsync client fails to properly verify if a symbolic link destination sent from th...
CVE-2025-3924
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'validemail' value based solely on a supplied username parameter, without verifying that the requester is associated...
Directus `search` query parameter allows enumeration of non permitted fields
Summary The search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. Details The searchable columns numbers & strings are not checked against permissions when injecti...
PT-2025-12983 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions 9.0.0-alpha.4 through 11.5.0 Description: The issue allows users with access to a collection to filter items based on fields they do not have permission to view using the search query parameter. This enables the enumeration ...
CBL Mariner 2.0 Security Update: rsync (CVE-2024-12086)
The version of rsync installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-12086 advisory. - A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the...
Important: rsync
Issue Overview: A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length s2length to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data...
CVE-2024-53850
The CVE-2024-53850 entry maps to the Addressing GLPI plugin vulnerability. The connected PT-2024-9988 advisory specifies affected versions 3.0.0 through 3.0.3 and attributes the issue to a poor security check that allows an unauthenticated attacker to determine whether data exists by name in GLPI...
CVE-2024-53850 The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation
The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists by name in GLPI...
CVE-2024-53850 The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation
The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists by name in GLPI...