522 matches found
PT-2026-45954
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...
CVE-2026-36748
RockRMS vulnerability CVE-2026-36748 affects v16.13 and earlier of RockRMS up to v17.7.0, allowing Cross Site Scripting (XSS) via social media links in a user profile. The connected documents confirm the affected product version range and the XSS impact, but do not provide rooted technical detail...
CVE-2026-36748
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...
EUVD-2026-34100
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...
CVE-2026-36748
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting XSS via Social Media links in user profile...
CVE-2026-42280
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...
MAL-2026-4361 Malicious code in @amswf/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...
Malicious code in @amswf/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...
WordPress plugin Oliver POS 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2021-47934 MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF
MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php...
WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection vulnerability
Authenticated Subscriber+ SQL Injection vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin ProfileGrid versions = 5.9.8.4...
Incorrect Authorization
Overview auth0-js is an Auth0 headless browser sdk Affected versions of this package are vulnerable to Incorrect Authorization via token validation. An attacker can gain unauthorized access to user profile information by providing a specifically crafted invalid ID token along with a valid access...
Cisco Slido Insecure Direct Object Reference Vulnerability
A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed...
CVE-2026-5779
An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...
EUVD-2024-55551
Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...
CVE-2024-58343
Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...
CVE-2024-58343
Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...
CVE-2024-58343
Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...
CVE-2024-58343
Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...
CVE-2024-58343
CVE-2024-58343 affects Vision Helpdesk versions prior to 5.7.0, with a patch available in 5.6.10. The issue allows attackers to read user profiles by tampering serialized cookie data in vis_client_id. The CVSS v3.1 base score is 4.3 (MEDIUM) with network attack vector, low attack complexity, and ...