Fleet 授权问题漏洞

Fleet is an open-source device management platform developed by Fleet Device Management. It supports various operating systems and devices, and helps IT and security teams with device management, vulnerability reporting, MDM operations, etc. Versions of Fleet prior to 4.81.0 contained a...

CVE-2025-64744

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

CVE-2025-64744 OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

EUVD-2025-175381

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

CVE-2025-64744 OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

CVE-2025-64744 OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails

OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without...

CVE-2025-64744

OpenObserve vulnerable to HTML injection in organization invitation emails. Affected versions up to 0.16.1 render HTML from user-supplied organization names in email templates due to insufficient HTML escaping. As of publication, no patched versions are available (multiple sources corroborate acr...

EUVD-2018-3089

Malware in sbrugna...

PT-2023-27901 · Tolgee · Tolgee

Name of the Vulnerable Software and Affected Versions: Tolgee versions prior to 3.29.2 Description: Tolgee is an open-source localization platform. Due to a lack of validation in the Org Name field, a bad actor can send emails with HTML injected code to victims. Registered users can inject HTML...

GHSA-MH74-4M5G-FCJX Malicious users could abuse Sydent to control the content of invitation emails

Impact A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. Patches Fixed in 4469d1d, 6b405a8, 65a6e91. Note that these patches include changes to the default email templates. If the...

CVE-2021-1221

A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation email. The vulnerability is due to insufficient input validation. An attacker could exploit this...

Design/Logic Flaw

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content...

CVE-2018-11044

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content...

CVE-2018-11044

Pivotal Apps Manager included in Pivotal Application Service, versions 2.2.x prior to 2.2.1 and 2.1.x prior to 2.1.8 and 2.0.x prior to 2.0.17 and 1.12.x prior to 1.12.26, does not escape all user-provided content when sending invitation emails. A malicious authenticated user can inject content...

CVE-2018-11044

CVE-2018-11044 affects Pivotal Apps Manager included in Pivotal Application Service. The issue is that invitation emails do not escape all user-provided content in the invite, allowing a malicious authenticated user to inject content into an invite to another user. Affected versions are 2.2.x bef...

CVE-2018-10213

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it...

PT-2018-9760 · Vaultize · Vaultize Enterprise File Sharing

Name of the Vulnerable Software and Affected Versions: Vaultize Enterprise File Sharing version 17.05.31 Description: An issue was discovered where there is a cross-site scripting XSS vulnerability in the invitation mail received from a different user. This user can modify the HTML in the mail...

Instacart: Hyperlink Injection in Friend Invitation Emails

Description A user can change their name to a URL in order to send email invitations containing malicious hyperlinks. Steps to Reproduce 1. Create a new Instacart account with the first name http://example.com 2. Navigate to https://www.instacart.com/store/referrals 3. Send an email invitation to...