26 matches found
EUVD-2025-30815
Malicious code in bioql PyPI...
CVE-2025-35042
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.2...
CVE-2025-35041
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35042 Airship AI Acropolis default credentials
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.2...
CVE-2025-35042 Airship AI Acropolis default credentials
Airship AI Acropolis includes a default administrative account that uses the same credentials on every installation. Instances of Airship AI that do not change this account password are vulnerable to a remote attacker logging in and gaining the privileges of this account. Fixed in 10.2.35, 11.0.2...
CVE-2025-35041 Airship AI Acropolis MFA insufficient rate limiting
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35041 Airship AI Acropolis MFA insufficient rate limiting
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9...
CVE-2025-35041
Airship AI Acropolis MFA vulnerability: after a valid login, there is no rate limiting for MFA attempts, allowing unlimited tries within a 15-minute window to brute-force the 6-digit code. Affected versions include those prior to 10.2.35, 11.0.21, and 11.1.9. Remediation is to upgrade to 10.2.35,...
Airship AI MFA bypass and default credentials vulnerabilities
RISK EVALUATION Airship AI Acropolis is used for video and data management. In versions before 11.1.9, 11.0.21, and 10.2.35, a remote unauthenticated attacker with valid credentials can brute force the MFA code and authenticate without an additional authentication method. Improperly configured...
Airship AI Acropolis 安全漏洞
Airship AI Acropolis is a video and wear Blue Flag data management platform from Airship AI in the United States. Airship AI Acropolis has a security vulnerability that stems from the use of default administrator account credentials, which could allow a remote attacker to log in and gain account...
Airship AI Acropolis 安全漏洞
Airship AI Acropolis is a video and wear Blue Flag data management platform from Airship AI in the United States. A security vulnerability exists in Airship AI Acropolis versions prior to 10.2.35, prior to 11.0.21, and prior to 11.1.9, which stems from allowing unlimited attempts at MFA...
MAL-2025-14211 Malicious code in airship.com (npm)
The package airship.com was found to contain malicious code...
Malicious code in airship.com (npm)
The package airship.com was found to contain malicious code...
Paragon Initiative Enterprises: Airship: Persistent XSS via Comment
Affected: Airship 2.0.0 commit 15bdc0d CVSS ---- Medium 6.1 https://www.first.org/cvss/calculator/3.0CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Description ----------- The "name" field of a comment on a blog post is vulnerable to persistent XSS. When replying to a comment, the comment name is...
Paragon Initiative Enterprises: Paragonie Airship Admin CSRF on Extensions Pages
Summary ========== The /bridge/admin/skyport/install endpoint, as well as some of the endpoints around it, are vulnerable to Cross-Site Request Forgery. Description ========= The functions in src/Cabin/Bridge/Controller/Skyport.php in the Airship project appear to all be vulnerable to Cross-Site...
Paragon Initiative Enterprises: Full Path Disclousure on https://airship.paragonie.com
Hi , i found an full path disclousure vulnerability on https://airship.paragonie.com For reproduce this vulnerability go to: https://airship.paragonie.com/my/cabins You will see something like this : Class '\ParagonIE\Airship\Cabins' not found 0 /var/www/paragonie/framework/Router.php236:...
Paragon Initiative Enterprises: Full Path Disclosure in airship.paragonie.com '/cabins/'
Hello Team, first am so sorry if i test this in your site, since i got problem to install in my own. So when i see your blog i got end point to https://airship.paragonie.com which is "Powered By Airship" or made using Airship CMS. step To Reproduce 1. register an account 2. navigate to...
Paragon Initiative Enterprises: Incomplete fix for #181225 (target=_blank vulnerability)
Hi, I believe the fix for 181225 is incomplete in the rules for Airship wysihtml parser rules. At https://github.com/paragonie/airship/blob/58f96aa0e5002b60e74456502d9bfc9483d77b3d/src/public/js/wysihtml5/parserrules/advancedandextended.js, the 'target' parameter for links is allowed to be...
Paragon Initiative Enterprises: Missing rel=noopener noreferrer in target=_blank links (Phishing attack)
Links that use target=blank need to have rel="noopener noreferrer" in order to mitigate phishing attack opened page can change the location of page that opened him via window.opener.location = 'http://phishingsite.com/' more information about this vulnerability:...
Paragon Initiative Enterprises: [Airship CMS] Local File Inclusion - RST Parser
Airship uses the very useful RST Parser from Gregwar. However, the parser has the RST directive include built-in why it isn't a separate directive per the spec, I don't know. However, as a result, LFI is possible in Airship. I realize this isn't directly Paragonie's code, but since Airship uses...