Lucene search
K

64 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 9:21 p.m.8 views

CVE-2021-41286

Omikron MultiCash Desktop 4.00.008.SP5 relies on a client-side authentication mechanism. When a user logs into the application, the validity of the password is checked locally. All communication to the database backend is made via the same technical account. Consequently, an attacker can attach a...

7.8CVSS7.3AI score0.00227EPSS
Exploits0
OSV
OSV
added 2025/04/23 2:42 p.m.10 views

GHSA-F69V-XRJ8-RHXF org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Preven...

9.8CVSS7.9AI score0.79487EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2025/04/23 2:42 p.m.21 views

org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API

Impact It is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Preven...

9.8CVSS8.6AI score0.79487EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/04 10:12 p.m.7 views

CVE-2024-35237

MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e...

7.5CVSS7.1AI score0.005EPSS
Exploits0References1
NVD
NVD
added 2024/12/12 7:15 p.m.37 views

CVE-2024-55663

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

9.8CVSS0.00732EPSS
Exploits0References3
Cvelist
Cvelist
added 2024/12/12 6:53 p.m.47 views

CVE-2024-55663 XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

8.6CVSS0.00732EPSS
Exploits0References3
CVE
CVE
added 2024/12/12 6:53 p.m.69 views

CVE-2024-55663

CVE-2024-55663 is an SQL injection in XWiki Platform occurring in getdocument.vm, tied to an unsanitized sort parameter that can enable HQL injection. Affected versions include 6.3-milestone-2 up to 13.10.4/14.3-rc-1, with patches implemented in 13.10.5 and 14.3-rc-1. Depending on the database ba...

9.8CVSS6.3AI score0.00732EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2024/10/08 10:21 p.m.13 views

Improper Authorization in Select Permissions

Due to the order in which permissions were processed, some statements, filters and computations could lead to leaking field values or record contents to users without the required permissions. This behavior could be triggered in different scenarios: - When performing a SELECT operation on a table...

6.8AI score
Exploits0References13Affected Software2
OSV
OSV
added 2024/05/27 5:7 p.m.19 views

CVE-2024-35237 MIT IdentiBot User-Kerberos Mapping Publicly Available

MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e...

7.5CVSS7AI score0.005EPSS
Exploits0References4
OSV
OSV
added 2024/02/21 5:15 p.m.2 views

CVE-2024-1702

A vulnerability was found in keerti1924 PHP-MYSQL-User-Login-System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /edit.php. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the publi...

9.8CVSS5.7AI score0.00662EPSS
Exploits1References3
OSV
OSV
added 2023/07/27 8:15 p.m.4 views

CVE-2023-36942

A cross-site scripting XSS vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the website title field...

6.1CVSS5.9AI score0.0048EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2023/02/15 3:37 a.m.4 views

SUSE CVE-2021-41177

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits as as AnonRateThrottle or UserRateThrottle was thus not rat...

8.1CVSS7.7AI score0.015EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2022/12/22 12:0 a.m.6 views

PT-2022-27475 · Apache · Apache Shardingsphere-Proxy

Name of the Vulnerable Software and Affected Versions: Apache ShardingSphere-Proxy versions prior to 5.3.0 Description: The issue arises when Apache ShardingSphere-Proxy is used with MySQL as the database backend. In versions prior to 5.3.0, the database session is not properly cleaned up after a...

9.8CVSS9.6AI score0.01388EPSS
Exploits0References7
NVD
NVD
added 2022/09/02 7:15 a.m.32 views

CVE-2022-38054

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation...

9.8CVSS0.01881EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2022/09/02 7:15 a.m.1 views

CVE-2022-38054

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation...

9.8CVSS7.3AI score0.01881EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2022/09/02 12:0 a.m.3 views

Apache Airflow 授权问题漏洞

Apache Airflow is the Apache Foundation's open source platform for creating, managing, and monitoring workflows. A security vulnerability exists in Apache Airflow versions 2.2.4 to 2.3.3, which stems from the vulnerability of the "database" web server session backend to session fixation. No detai...

9.8CVSS6.8AI score0.01881EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2022/09/02 12:0 a.m.11 views

PT-2022-24176 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions 2.2.4 through 2.3.3 Description: The issue concerns the database webserver session backend, which was susceptible to session fixation. This means an attacker could potentially fixate a session ID on a user's browser,...

9.8CVSS9.2AI score0.01881EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2022/05/20 11:42 p.m.34 views

CVE-2021-41177

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits as as AnonRateThrottle or UserRateThrottle was thus not rat...

8.1CVSS2.5AI score0.015EPSS
Exploits0References1
OSV
OSV
added 2022/05/17 3:29 a.m.3 views

GHSA-6WGP-FWFM-MXP3 Django allows user sessions hijacking via an empty string in the session key

The session.flush function in the cacheddb backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key...

8.7CVSS6.8AI score0.01748EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2021/10/25 10:15 p.m.4 views

CVE-2021-41177

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits as as AnonRateThrottle or UserRateThrottle was thus not rat...

8.1CVSS7.1AI score0.015EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder