246 matches found
EUVD-2022-4779
Malicious code in bioql PyPI...
EUVD-2023-2056
Malicious code in bioql PyPI...
EUVD-2024-39636
Malicious code in bioql PyPI...
EUVD-2024-2489
Malicious code in bioql PyPI...
EUVD-2025-21169
Malicious code in bioql PyPI...
CVE-2025-10752
The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter base64 encoded app name without any randomness in the OAuth flow. This makes it possible f...
CVE-2025-10752 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter base64 encoded app name without any randomness in the OAuth flow. This makes it possible f...
CVE-2025-10752
CVE-2025-10752 affects the OAuth Single Sign On – SSO (OAuth Client) WordPress plugin. The issue is a Cross‑Site Request Forgery (CSRF) in the OAuth flow caused by a predictable state parameter (base64-encoded app name) that is used during authorization requests. This enables unauthenticated atta...
PT-2025-39475
Name of the Vulnerable Software and Affected Versions WordPress OAuth Single Sign On plugin versions prior to 6.26.12 Description The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of utilizing a predictable state...
CVE-2025-40682
SQL injection vulnerability in Human Resource Management System version 1.0, which allows an attacker to retrieve, create, update and delete databases via the “city” and “state” parameters in the /controller/ccity.php endpoint...
CVE-2025-40682
SQL injection vulnerability in Human Resource Management System version 1.0, which allows an attacker to retrieve, create, update and delete databases via the “city” and “state” parameters in the /controller/ccity.php endpoint...
📄 Invision Community 5.0.7 Cross Site Scripting
Invision Community versions 5.0.7 and below have an issue where user input passed through the state POST parameter to the /oauth/callback/index.php script is not properly sanitized before being used to generate HTML output. This can be exploited by attackers to perform reflected cross site...
CVE-2025-43856
immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...
CVE-2025-43856
The CVE-2025-43856 entry concerns immich, a self-hosted photo/video management solution. Affected versions are prior to 1.132.0. The root cause is that the OAuth2 state parameter is not validated, which defeats CSRF protection. When immich uses the /user-settings page as a redirect URI, an attack...
CVE-2025-43856 immich allows account hijacking through oauth2
immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...
CVE-2025-43856 immich allows account hijacking through oauth2
immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...
CVE-2025-43856 immich allows account hijacking through oauth2
immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow...
CVE-2024-30989
Cross Site Scripting vulnerability in /edit-client-details.php of phpgurukul Client Management System using PHP & MySQL 1.1 allows attackers to execute arbitrary code via the "cname", "comname", "state" and "city" parameter...
CVE-2024-42476
In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the state parameter to prevent cross-site request forgery CSRF attacks where a resource owner might have their session associated with protected resources belonging to an attacker. Whe...
CVE-2023-26847
A stored cross-site scripting XSS vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates...