72 matches found
CVE-2026-34366 InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes...
CVE-2026-34366 InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes...
CVE-2026-34365 InvoiceShelf: SSRF in Estimate PDF Rendering via Unsanitised HTML in Notes Field
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field...
CVE-2026-34365
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field...
PT-2026-29342
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes...
EUVD-2026-17095
Multiple stored cross-site scripting XSS vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters...
CVE-2025-69634
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user...
CVE-2025-69634
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user...
CVE-2025-69634
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user...
Dolibarr ERP & CRM 安全漏洞
Dolibarr ERP & CRM is an enterprise management software developed under the open-source license of Dolibarr. Version 22.0.9 of Dolibarr ERP & CRM contains a security vulnerability. This vulnerability stems from the notes field in the perms.php file, where cross-site request forgery attacks may...
PT-2026-7852
Name of the Vulnerable Software and Affected Versions Dolibarr ERP & CRM version 22.0.9 Description A Cross Site Request Forgery issue exists in Dolibarr ERP & CRM version 22.0.9. A remote attacker may be able to escalate privileges through the notes field in the perms.php file. It is noted that...
CVE-2025-69634
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php...
CVE-2025-69634
Dolibarr ERP & CRM 22.0.9 is affected by a Cross Site Request Forgery vulnerability that could allow a remote attacker to escalate privileges via the notes field in perms.php. The issue is described across multiple sources (NVD/NVD-derived entries, Red Hat, UBUNTU, OSV, vulnerability enrichments)...
CVE-2025-69634
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user...
CVE-2021-47855
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the...
CVE-2021-47855 Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the...
CVE-2021-47855
Openlitespeed 1.7.9 is affected by CVE-2021-47855, a stored cross-site scripting vulnerability in the dashboard Notes parameter. The issue allows an attacker to craft a payload in the Notes field during listener configuration that will execute when an administrator clicks the Default Icon, enabli...
CVE-2021-33231
Cross Site Scripting XSS vulnerability in New equipment page in EasyVista Service Manager 2018.1.181.1 allows remote attackers to run arbitrary code via the notes field...
CVE-2025-63640
Sourcecodester Medicine Reminder App v1.0 is vulnerable to Cross-Site Scripting XSS in the "Medicine Name" and "Notes Optional" fields when creating an "Upcoming Reminder", allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser up...
EUVD-2025-38300
Sourcecodester Medicine Reminder App v1.0 is vulnerable to Cross-Site Scripting XSS in the "Medicine Name" and "Notes Optional" fields when creating an "Upcoming Reminder", allowing an attacker to inject arbitrary potentially malicious HTML/JavaScript code that executes in the victim's browser up...