EUVD-2024-19272

Malicious code in bioql PyPI...

GHSA-PF86-4W35-CJ89 Liferay Portal vulnerable to cross-site scripting in the Calendar widget

Multiple cross-site scripting XSS vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allo...

PT-2025-40049

Multiple cross-site scripting XSS vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.6, 7.4 update 35 through update 92, and 7.3 update 25 through update 35 allo...

Omise: 2FA requirement bypass when inviting team members

The application's requirement for users to enable 2FA before sending team invitations was bypassed by modifying client-side responses. This allowed invitations to be sent without enabling 2FA, defeating the security requirement...

CVE-2025-59421

CVE-2025-59421 affects Press, a Frappe custom app running on Frappe Cloud. The issue is a lack of validation and rate limiting that allows a malicious actor to flood a user’s inbox by repeatedly sending duplicate invitations. The vulnerability is mitigated by the fix committed as 83c3fc7676c5dbbe...

PT-2025-38410

Name of the Vulnerable Software and Affected Versions Press versions prior to commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615 Description Press, a Frappe custom app used for managing infrastructure, subscriptions, marketplace operations, and software-as-a-service SaaS, is susceptible to a flaw th...

Press 安全漏洞

Press is a Frappe open source Frappe custom application running Frappe Cloud. A security vulnerability exists in Press, which originates from an attacker being able to send repeated invitations resulting in the user's inbox being flooded...

Linux Distros Unpatched Vulnerability : CVE-2020-13305

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab was not invalidating project invitation link upon removing a user fr...

GitLab Enterprise Edition 安全漏洞

GitLab Enterprise Edition EE is a content management system from the U.S.-based GitLab, Inc. A security vulnerability exists in GitLab Enterprise Edition versions prior to 18.0 through 18.0.4 and 18.1 through 18.1.2, which stems from an authenticated user potentially bypassing group-level user...

Discourse 安全漏洞

Discourse is an open source community discussion platform from Discourse Open Source. The platform includes features such as communities, email, and chat rooms. A security vulnerability exists in Discourse versions prior to 3.4.4, prior to 3.5.0.beta5, and prior to 3.5.0.beta6-dev, which stems fr...

CVE-2025-22608

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID,...

CVE-2024-21630

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite...

CVE-2023-28623

Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: ZulipLDAPAuthBackend and an external authentication backend any aside of ZulipLDAPAuthBackend and EmailAuthBackend are the only ones enabled in AUTHENTICATIONBACKENDS in /etc/zulip/settings.py...

CVE-2022-39385

Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been...

CVE-2022-1385

Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console, which allows accidentally invited users to join the workspace and access information from the public teams and channels...

CVE-2021-39875

In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint...

CVE-2017-18543

The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations...

CVE-2019-19249

Controllers/InvitationsController.cs in QueryTree before 3.0.99-beta mishandles invitations...

Dust: User Limit Bypass via Pending Invitations in Workspace System

The platform's workspace user limit was found to be vulnerable to bypass through the use of pending invitations. Users were able to join a workspace by signing up with an invited email, even after the workspace had reached its user limit for the current subscription tier. This allowed an unlimite...

CVE-2025-31478

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being requir...