27 matches found
CVE-2026-41498
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
CVE-2026-9526
A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/editteam.php. The manipulation of the argument numid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be use...
CVE-2026-9526
A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/editteam.php. The manipulation of the argument numid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be use...
CVE-2026-9526 itsourcecode Electronic Judging System edit_team.php sql injection
A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/editteam.php. The manipulation of the argument numid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be use...
itsourcecode Electronic Judging System SQL注入漏洞
itsourcecode Electronic Judging System is an open-source electronic referee system developed by itsourcecode. Version 1.0 of the itsourcecode Electronic Judging System has a SQL injection vulnerability. This vulnerability arises from improper handling of the numid parameter in the unknown code...
PT-2026-43183
A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/edit team.php. The manipulation of the argument num id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be...
CVE-2026-41498
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...
kimai 安全漏洞
Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developers. Versions of Kimai prior to 2.54.0 contained security vulnerabilities. These vulnerabilities were caused by incorrect annotations used for the Team API endpoints, which led to TeamVoter abstentio...
Kimai has Missing Object-Level Authorization in the Team API
Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the Team API endpoints due to improper authorization checks in the TeamController process. An attacker can gain unauthorized access to modify any team's membership, customer assignments, project assignments, and...
GHSA-JV9X-W4GM-HWCM Kimai has Missing Object-Level Authorization in the Team API
Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...
CVE-2025-40690
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'...
EUVD-2025-28903
Malicious code in bioql PyPI...
CVE-2025-40693
Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', 'teammember' and 'teamname' parameters via POST at the...
CVE-2025-40693
Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', 'teammember' and 'teamname' parameters via POST at the...
CVE-2025-40690
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'...
CVE-2025-40693
Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', 'teammember' and 'teamname' parameters via POST at the...
CVE-2025-40690
SQL Injection in Online Fire Reporting System v1.2 by PHPGurukul. This vulnerability allows an attacker to retrieve, create, update and delete database via 'teamid' parameter in the endpoint '/ofrs/admin/edit-team.php'...
CVE-2025-40693
CVE-2025-40693 : Stored Cross-Site Scripting in Online Fire Reporting System v1.2 (PHPGurukul) arises from insufficient validation of inputs: GET parameter tname and POST parameters teamleadname, teammember, and teamname at /ofrs/admin/edit-team.php. This authenticated XSS can enable an attacker ...
CVE-2025-40693 Cross Site Scripting in PHPGurukul Online Fire Reporting System
Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a reflected and stored authenticated XSS due to the lack of propper validation of user inputs 'tname' parameter via GET and, 'teamleadname', 'teammember' and 'teamname' parameters via POST at the...