Lucene search
K

377 matches found

Positive Technologies
Positive Technologies
added 2025/12/11 12:0 a.m.7 views

PT-2025-50611

Name of the Vulnerable Software and Affected Versions ScreenConnect versions prior to 25.8 Description The ScreenConnect server component, in versions prior to 25.8, has insufficient server-side validation and integrity checks within its extension subsystem. This allows the installation and...

9.1CVSS7.9AI score0.0033EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2025/12/08 5:56 p.m.17 views

1Panel – CAPTCHA Bypass via Client-Controlled Flag

Summary A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed,...

7.5CVSS7.2AI score0.00405EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2025/12/02 12:0 a.m.5 views

CVE-2025-65844

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary...

7.5CVSS7.3AI score0.00339EPSS
Exploits1References3
EUVD
EUVD
added 2025/11/25 9:32 p.m.7 views

EUVD-2025-199636

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

5.3CVSS6AI score0.00202EPSS
Exploits0References3
OSV
OSV
added 2025/11/25 7:15 p.m.7 views

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

5.3CVSS5.7AI score0.00202EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/11/25 12:0 a.m.11 views

PT-2025-48065

The Primakon Pi Portal 1.0.18 /api/V2/pp users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value e.g., [email protected], an attacker can assume the session and gain...

7AI score0.00255EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/11/25 12:0 a.m.2 views

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

6.1AI score0.00202EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/11/25 12:0 a.m.10 views

CVE-2025-64062

The Primakon Pi Portal 1.0.18 /api/V2/ppusers?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value e.g., [email protected], an attacker can assume the session and gain...

0.00255EPSS
Exploits0References2
CVE
CVE
added 2025/11/25 12:0 a.m.16 views

CVE-2025-64065

Primakon Pi Portal 1.0.18 exposes /api/V2/pp_udfv_admin to authenticated, low-privilege users via an access control flaw (Broken Function Level Authorization) and insecure design, enabling direct PATCH-based impersonation of arbitrary users, including Administrators, without password or admin tok...

8.8CVSS6.8AI score0.00255EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2025/11/25 12:0 a.m.15 views

CVE-2025-64062

The CVE (CVE-2025-64062) affects Primakon Pi Portal 1.0.18. The /api/V2/pp_users?email endpoint lacks proper server-side validation against the authenticated session, allowing an attacker to manipulate the email parameter to an arbitrary value (e.g., [email protected]) to hijack the session and ...

8.8CVSS6.6AI score0.00255EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/11/19 7:6 p.m.4 views

CVE-2025-65094 WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

8.7CVSS6.6AI score0.00338EPSS
Exploits3References2
EUVD
EUVD
added 2025/11/19 7:6 p.m.5 views

EUVD-2025-198230

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

8.7CVSS6.4AI score0.00338EPSS
Exploits3References2
OSV
OSV
added 2025/11/19 7:6 p.m.11 views

CVE-2025-65094 WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

8.7CVSS6.9AI score0.00338EPSS
Exploits3References4
CVE
CVE
added 2025/11/18 12:0 a.m.19 views

CVE-2025-63800

Open Source Point of Sale 3.4.1 contains a flaw in the password change endpoint: if an authenticated user omits or leaves the password and repeat_password fields empty, the server may treat it as a valid request and set the user’s password to an empty string. This lacks server-side validation and...

7.5CVSS6.5AI score0.00417EPSS
Exploits1References3Affected Software1
Hacker One
Hacker One
added 2025/11/15 5:49 a.m.10 views

AWS VDP: Unlimited Reuse of Coupon Code Allows Free Shipping on All Orders on ██████████

A vulnerability was found in the coupon code system of the ██████████ online store. The coupon code for free shipping could be used multiple times on any number of orders without any restrictions or tracking. This allowed users to bypass shipping charges indefinitely, resulting in a direct...

5.6AI score
Exploits0
Veracode
Veracode
added 2025/11/12 6:24 a.m.9 views

Improper Input Validation

Rancher Manager is vulnerable to improper input validation. The vulnerability is due to missing server-side validation on the .username field, which allows an attacker with update permissions on other user resources to cause denial of access for targeted accounts...

7.6CVSS8.5AI score0.00453EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2025/11/10 10:32 p.m.19 views

CVE-2021-4462

Employee Records System v1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote, unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. Exploitation evidence is reported (Shadowserver Foundation, 2025-02-06 UTC). Affected comp...

9.8CVSS6.8AI score0.03237EPSS
In wildExploits2References3Affected Software1
CNNVD
CNNVD
added 2025/11/10 12:0 a.m.5 views

Employee Records System 安全漏洞

Employee Records System is a small business employee record keeping system. A security vulnerability exists in Employee Records System version 1.0, which stems from a failure to perform server-side validation on the uploadID.php endpoint, which could allow a remote, unauthenticated attacker to...

9.8CVSS7.4AI score0.03237EPSS
Exploits2References4
Vulnrichment
Vulnrichment
added 2025/11/06 9:50 p.m.5 views

CVE-2024-12125 3scale-porta: readonly fields not validated server-side

A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information...

7.5CVSS6.2AI score0.00243EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/11/06 9:50 p.m.8 views

CVE-2024-12125 3scale-porta: readonly fields not validated server-side

A flaw was found in the 3scale Developer Portal. When creating or updating an account in the Developer Portal UI it is possible to modify fields explicitly configured as read-only or hidden, allowing an attacker to modify restricted information...

7.5CVSS0.00243EPSS
Exploits0References2
Rows per page
Query Builder