Lucene search
+L

289 matches found

CVE
CVE
added 2025/06/26 4:46 p.m.115 views

CVE-2025-52477

CVE-2025-52477 affects Octo-STS, a GitHub App acting as a Security Token Service for the GitHub API. The vulnerability is an unauthenticated SSRF that can be triggered by abusing fields in OpenID Connect tokens, causing internal network requests and potential exposure of sensitive information in ...

8.6CVSS7.1AI score0.0041EPSS
Exploits0References3
CNNVD
CNNVD
added 2025/06/26 12:0 a.m.6 views

octo-sts 代码问题漏洞

octo-sts is a Chainguard's GitHub security token service open-sourced by octo-sts. A code issue vulnerability exists in octo-sts versions prior to v0.5.3, which stems from an unauthenticated server-side request forgery vulnerability...

8.6CVSS6.8AI score0.0041EPSS
Exploits0References3
NVD
NVD
added 2025/06/11 5:15 p.m.12 views

CVE-2025-6001

A Cross-Site Request Forgery CSRF vulnerability exists in the product image upload function of VirtueMart that bypasses the CSRF protection token. An attacker is able to craft a special CSRF request which will allow unrestricted file upload into the VirtueMart media manager...

8.3CVSS0.00199EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:16 a.m.11 views

CVE-2023-38372

An unauthorized attacker who has obtained an IBM Watson IoT Platform 1.0 security authentication token can use it to impersonate an authorized platform user. IBM X-Force ID: 261201...

7.5CVSS6.7AI score0.00643EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:6 p.m.7 views

CVE-2021-20077

Nessus Agent versions 7.2.0 through 8.2.2 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. This could allow a privileged attacker to obtain the token...

7.2CVSS6.6AI score0.00346EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 3:19 a.m.12 views

CVE-2012-5607

The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."...

5CVSS7.2AI score0.02102EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/05/15 12:0 a.m.8 views

PT-2025-21476 · WordPress · Eventprime

Name of the Vulnerable Software and Affected Versions: EventPrime WordPress plugin versions prior to 3.5.0 Description: The issue concerns a lack of proper permission validation when updating bookings, allowing users to change or cancel bookings for other users. Additionally, the feature lacks a...

5.3CVSS5.4AI score0.00257EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2025/04/24 3:24 a.m.5 views

SUSE CVE-2025-32963

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it...

6.9CVSS6.9AI score0.00573EPSS
Exploits0References3
Exploit DB
Exploit DB
added 2025/04/15 12:0 a.m.328 views

IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)

Author Title: John Page aka hyp3rlinx Author Website: hyp3rlinx.altervista.org Source: https://hyp3rlinx.altervista.org/advisories/IBMiNavigatorHTTPSecurityTokenBypass-CVE-2024-51464.txt Vendor: www.ibm.com Vendor www.ibm.com Product Navigator for i is a Web console interface where you can perfor...

5.4CVSS4.8AI score0.01445EPSS
Exploits2
Exploit DB
Exploit DB
added 2025/04/15 12:0 a.m.184 views

IBMi Navigator 7.5 - HTTP Security Token Bypass

Author Title: John Page aka hyp3rlinx Author Website: hyp3rlinx.altervista.org Source: https://hyp3rlinx.altervista.org/advisories/IBMiNavigatorHTTPSecurityTokenBypass-CVE-2024-51464.txt Vendor: www.ibm.com Product Navigator for i is a Web console interface where you can perform the key tasks to...

4.3CVSS5.6AI score0.01445EPSS
Exploits2
Vulnrichment
Vulnrichment
added 2025/02/11 5:24 p.m.4 views

CVE-2019-15002

An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account...

4.6AI score0.0031EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2024/10/15 12:0 a.m.438 views

Dolibarr 20.0.1 SQL Injection

Titles: dolibarr 20.0.1 Multiple security token SQLi Author: nu11secur1ty Date: 10/15/2024 Vendor: https://www.dolibarr.org/ Software: https://www.dolibarr.org/downloads.php Reference: https://portswigger.net/web-security/sql-injection Description: The socid parameter appears to be vulnerable to...

7.4AI score
Exploits0
OSV
OSV
added 2024/09/25 5:34 a.m.5 views

CGA-RW7G-MVHF-374H

Bulletin has no description...

4.3CVSS5.6AI score0.00839EPSS
Exploits0
BDU FSTEC
BDU FSTEC
added 2024/08/07 12:0 a.m.9 views

The vulnerability of the AssumeRoleWithWebIdentity request of the Security Token Service (AWS STS) – a single API for interacting with object storage services and local files in Apache Arrow Rust Object Store – allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the AssumeRoleWithWebIdentity request of the Security Token Service AWS STS – a single API for interacting with object storage services and local files – is related to insufficient protection of registration data. Exploiting this vulnerability allows an attacker to bypass...

7.8CVSS5.4AI score0.0071EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2024/05/23 7:41 p.m.8 views

Silverstripe Missing CSRF protection in login form

LoginForm calls disableSecurityToken, which causes a "shared host domain" vulnerability: http://stackoverflow.com/a/15350123...

7.1AI score
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2024/05/23 12:0 a.m.5 views

PT-2024-40480 · Packagist · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The issue arises from the LoginForm calling the disableSecurityToken function, which leads to a "shared host domain" vulnerability. This vulnerability is related to the way security...

5.4CVSS7AI score
Exploits0References6
Veracode
Veracode
added 2024/05/15 7:6 a.m.32 views

Cross-Site Scripting (XSS)

prestashop/prestashop is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the customer thread feature allowing malicious file uploads through the front-office contact form. When an admin opens the attached file in back office, arbitrary JavaScript will be executed which can...

9.6CVSS6.6AI score0.5617EPSS
Exploits2References4Affected Software1
CVE
CVE
added 2024/05/10 7:5 p.m.74 views

CVE-2024-34079

CVE-2024-34079 affects the octo-sts GitHub App (Security Token Service for the GitHub API). The issue enables excessive resource consumption, potentially causing denial of service when handling high traffic volumes. Public sources describe a DoS risk from unbounded resource usage or missing input...

3.7CVSS6.5AI score0.00581EPSS
Exploits0References2
NCSC
NCSC
added 2024/03/07 12:0 a.m.7 views

Vulnerability fixed in Cisco Secure Client

Cisco has fixed a vulnerability in the Secure Client. A malicious party could exploit the vulnerability to use a malicious link to gain access to the SAML token of the victim and thus establish a VPN connection. Access to underlying systems and applications still require authentication. Cisco has...

8.2CVSS7AI score0.29906EPSS
Exploits0
OSV
OSV
added 2024/02/29 1:40 a.m.2 views

CVE-2023-38372

An unauthorized attacker who has obtained an IBM Watson IoT Platform 1.0 security authentication token can use it to impersonate an authorized platform user. IBM X-Force ID: 261201...

7.5CVSS5.8AI score0.00643EPSS
Exploits0References2
Rows per page
Query Builder