20 matches found
GHSA-8JR5-6GVJ-RFPF @yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
SSE Transport Has No Authentication and Wildcard CORS, Exposing All 86 GitLab Tools Including Destructive Operations A review of mcp-gitlab-server at commit 80a7b4cf3fba6b55389c0ef491a48190f7c8996a uncovered that the SSE HTTP transport — advertised in the README and comparison table as a...
PT-2026-39306
Name of the Vulnerable Software and Affected Versions GitLab MCP Server versions prior to 0.6.0 Description The HTTP transport in src/transport.ts lacks an authentication layer and implements a wildcard Access-Control-Allow-Origin: header on all responses. This allows any cross-origin browser...
EUVD-2004-0049
Malware in sbrugna...
CVE-2025-50902
Cross Site Request Forgery CSRF vulnerability in old-peanut Open-Shop aka old-peanut/wechatappletopensource thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message...
CVE-2025-50902
Cross Site Request Forgery CSRF vulnerability in old-peanut Open-Shop aka old-peanut/wechatappletopensource thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message...
CVE-2020-9085
There is a NULL pointer dereference vulnerability in some Huawei products. An attacker may send specially crafted POST messages to the affected products. Due to insufficient validation of some parameter in the message, successful exploit may cause some process abnormal. Vulnerability ID:...
CVE-2020-9085
There is a NULL pointer dereference vulnerability in some Huawei products. An attacker may send specially crafted POST messages to the affected products. Due to insufficient validation of some parameter in the message, successful exploit may cause some process abnormal. Vulnerability ID:...
CVE-2020-9085
There is a NULL pointer dereference vulnerability in some Huawei products. An attacker may send specially crafted POST messages to the affected products. Due to insufficient validation of some parameter in the message, successful exploit may cause some process abnormal. Vulnerability ID:...
CVE-2020-9085
There is a NULL pointer dereference vulnerability in some Huawei products. An attacker may send specially crafted POST messages to the affected products. Due to insufficient validation of some parameter in the message, successful exploit may cause some process abnormal. Vulnerability ID:...
CVE-2020-9085
There is a NULL pointer dereference vulnerability in some Huawei products. An attacker may send specially crafted POST messages to the affected products. Due to insufficient validation of some parameter in the message, successful exploit may cause some process abnormal. Vulnerability ID:...
PT-2024-10861 · Huawei · Huawei Products
Name of the Vulnerable Software and Affected Versions: Huawei products affected versions not specified Description: There is a NULL pointer dereference issue in some Huawei products. An attacker can send specially crafted POST messages to the affected products. Due to insufficient validation of...
CVE-2023-5654
The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...
CVE-2020-7300
Improper Authorization vulnerability in McAfee Data Loss Prevention DLP ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages...
Authorization
Improper Authorization vulnerability in McAfee Data Loss Prevention DLP ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages...
CVE-2020-7300 DLP ePO extension - Improper Authorization
Improper Authorization vulnerability in McAfee Data Loss Prevention DLP ePO extension prior to 11.5.3 allows authenticated remote attackers to change the configuration when logged in with view only privileges via carefully constructed HTTP post messages...
CVE-2018-14867
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters...
Improper access control
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters...
CVE-2018-14867
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters...
Cross-Origin Resource Sharing (CORS) Vulnerability
auth0-js has cross-origin resource sharing CORS vulnerability . It does not perform origin verification and uses a popup callback page with auth0.popup.callback, allowing the attackers to get access the tokens of logged-in users by using unrestricted cross-origin post message requests. The...
Authentication flaw
BlogPHP 2.0 allows remote attackers to bypass authentication, and post 1 messages or 2 comments as an arbitrary user, via a modified blogphpusername field in a cookie...