Open Redirect

Volo.Abp.Account.Web is vulnerable to Open Redirect. The vulnerability is due to improper validation of the returnUrl parameter in the register function, where an attacker can redirect users to arbitrary external domains by exploiting this vulnerability...

CVE-2025-65581

An open redirect vulnerability exists in the Account module in Volosoft ABP Framework = 5.1.0 and 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains...

PT-2025-51767

Name of the Vulnerable Software and Affected Versions Volosoft ABP Framework versions 5.1.0 through 9.9.9-rc.2 Description An open redirect issue exists within the Account module. Insufficient validation of the returnUrl parameter in the register function enables an attacker to redirect users to...

CVE-2025-65581

The CVE-2025-65581 entry documents an open redirect in Volosoft ABP Framework’s Account module, affecting versions 5.1.0 up to but not including 10.0.0-rc.2. The root cause is improper validation of the returnUrl parameter in the register function, allowing redirects to arbitrary external domains...

CVE-2025-13051

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in...

CVE-2025-13051

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in...

CVE-2025-13051

CVE-2025-13051 affects ABP (2.0–2.0.7.9050) and AES (1.0–1.0.6.8290). The vulnerability arises when the service runs from a directory writable by non-admin users, allowing an attacker to replace or plant a DLL with the same name as one loaded by the service. On service restart, the malicious DLL ...

CVE-2025-13051 Windows service used an uncontrolled search path element will cause unauthorized code execution with localsystem privileges

When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in...

PT-2025-47421

Name of the Vulnerable Software and Affected Versions ABP versions 2.0 through 2.0.7.9050 AES versions 1.0 through 1.0.6.8290 Description The services of ABP and AES, when installed in a directory accessible for writing by non-administrative users, are susceptible to DLL hijacking. An attacker ca...

EUVD-2025-22418

Malicious code in bioql PyPI...

CVE-2025-8070

The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges,...

CVE-2025-8070

The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges,...

CVE-2025-8070

The CVE-2025-8070 issue affects ABP (≤ 2.0.7.6130) and AES (≤ 1.0.6.6133). It is caused by an unquoted ImagePath registry value in the Windows service configuration, enabling a local attacker to place a malicious executable in a path with spaces (e.g., C:\Program.exe) and execute it. If the servi...

CVE-2025-8070 Windows service registered with an unquoted ImagePath vulnerability in the system registry

The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges,...

CVE-2025-8070 Windows service registered with an unquoted ImagePath vulnerability in the system registry

The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges,...

PT-2025-30547 · Abp +1 · Abp +1

Name of the Vulnerable Software and Affected Versions: ABP versions prior to 2.0.7.6130 AES versions prior to 1.0.6.6133 Description: The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary cod...

CVE-2024-1379

The Website Article Monetization By MageNet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'abpauthkey' parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping and a missing authorization check. This makes it...

CVE-2024-1379

The Website Article Monetization By MageNet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'abpauthkey' parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping and a missing authorization check. This makes it...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +1749 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=5.6.0 <=5.6.3)

org.springframework.security:spring-security-core MAVEN version =5.6.0, =4.4.0.2, =1.3.1.RELEASE, =0.2.0, =0.8.3, =2.1.0.M8, =1.0.0, =2.7.0.Beta3, =2.7.0.Beta4, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.RC1 and more Source cves: CVE-2022-22978 Source advisory: OSV:GHSA-HH32-7344-CG2F...

CVE-2021-22267

Idelji Web ViewPoint Suite, as used in conjunction with HPE NonStop, allows a remote replay attack for T0320L01^ABP through T0320L01^ABZ, T0952L01^AAH through T0952L01^AAR, T0986L01 through T0986L01^AAF, T0665L01^AAP, and T0662L01^AAP L and T0320H01^ABO through T0320H01^ABY, T0952H01^AAG through...