17 matches found
CVE-2026-40458
PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...
pac4j 安全漏洞
pac4j is a simple yet powerful Java security engine developed by pac4j OpenSource. It is used to authenticate users, retrieve their configuration files, and manage authorizations, thereby protecting web applications and web services. There were security vulnerabilities in versions of pac4j before...
CVE-2026-33727
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct...
CVE-2025-14510
Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120...
ABB Ability OPTIMAX security vulnerabilities
ABB Ability OPTIMAX is a digital energy management optimization system developed by the Swiss company ABB. There were security vulnerabilities in versions 6.1, 6.2, 6.3.0 through 6.3.1-251120, and from version 6.4.0 through 6.4.1-251120. These vulnerabilities stemmed from incorrect implementation...
CVE-2025-13497 Recras WordPress plugin <= 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'recrasname' Shortcode Attribute
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-46047
A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter...
CVE-2024-54217
Missing Authorization vulnerability in Repute info systems ARForms.This issue affects ARForms: from n/a through 6.4.1...
QDocs Smart School SQL Injection Vulnerability
QDocs Smart School is a Smart School application from QDocs, Inc. QDocs Smart School version 6.4.1 has a SQL injection vulnerability that originates from the parameter searchdata0title/searchdata0searchfield/searchdata0 searchvalue can cause sql injection...
CVE-2023-32562
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1...
CVE-2023-32566
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1...
CVE-2022-1337
The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an authenticated attacker to crash the server via links to very large image files...
CVE-2021-36188
A improper neutralization of input during web page generation 'cross-site scripting' in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted GET parameters in requests to login and error handlers...
CVE-2021-43063
A improper neutralization of input during web page generation 'cross-site scripting' in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage...
PT-2021-21172 · Fortinet · Fortiweb
Name of the Vulnerable Software and Affected Versions: Fortinet FortiWeb versions 6.4.1 and below Fortinet FortiWeb versions 6.3.15 and below Description: The issue involves an unintended proxy or intermediary, referred to as a 'confused deputy', which allows an unauthenticated attacker to access...
Fortinet FortiClientEms 路径遍历漏洞
Fortinet FortiClientEms is a centralized, centralized management system from Fortinet, USA. A path traversal vulnerability exists in Fortinet FortiClientEMS versions 6.4.1 and below; 6.2.8 and below, which can be exploited by an attacker to add/remove files to/from a server by injecting a sequenc...
EAP: LDAP bind password is being logged with TRACE log level
AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform EAP before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled...