38 matches found
CVE-2025-0526
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows...
CVE-2024-1522
A Cross-Site Request Forgery CSRF vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /executecode API endpoint, which does not properly validate requests, enabling an attacker to craft a...
PT-2024-17789 · Foxcms · Foxcms
Name of the Vulnerable Software and Affected Versions: FoxCMS versions up to 1.2 Description: A critical issue was found in the API Endpoint component, specifically in the file /app/api/controller/Site.php. The manipulation of the password argument leads to improper authorization, allowing for...
PT-2024-36564 · Kanboard +1 · Kanboard +1
Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.43 Description: Kanboard is project management software that focuses on the Kanban methodology. In affected versions, sessions are still usable even though their lifetime has exceeded. Kanboard implements a cust...
CVE-2024-9387 URL Redirection to Untrusted Site ('Open Redirect') in GitLab
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...
PT-2024-16672 · Unknown · 1000 Projects Bookstore Management System
Name of the Vulnerable Software and Affected Versions: 1000 Projects Bookstore Management System version 1.0 Description: A critical issue affects some unknown functionality of the file /admin/login process.php of the component Login. The manipulation of the argument unm leads to SQL injection. T...
PT-2024-15530 · Mintplex · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm repository affected versions not specified Description: A mass assignment vulnerability exists in the "/api/invite/:code" endpoint, allowing unauthorized creation of high-privileged accounts. By intercepting and...
PT-2024-21447 · WordPress · Instawp Connect
Name of the Vulnerable Software and Affected Versions: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress versions up to, and including, 0.1.0.22 Description: The issue is related to arbitrary file uploads due to insufficient file validation in the...
PT-2023-30248 · Unknown · Peppermint Ticket Management
Name of the Vulnerable Software and Affected Versions: Peppermint Ticket Management versions 0.2.4 and earlier Description: The issue allows remote attackers to read arbitrary files via a "/api/v1/ticket/1/file/download?filepath=../" POST request. This is achieved by exploiting the filepath...
PT-2023-27681 · Dedecms · Dedecms
Name of the Vulnerable Software and Affected Versions: DedeCMS versions up to and including 5.7.110 Description: The issue concerns multiple cross-site scripting XSS vulnerabilities. These vulnerabilities are located at the "/dede/vote add.php" API endpoint via the votename and voteitem1...
PT-2023-24376 · Guanzhou Tozed Kangwei Intelligent Technology · Zlts10G
Name of the Vulnerable Software and Affected Versions: Guanzhou Tozed Kangwei Intelligent Technology ZLTS10G version S10G 3.11.6 Description: A Cross-Site Request Forgery CSRF issue allows attackers to takeover user accounts by sending a crafted POST request to the "/goform/goform set cmd process...
PT-2023-26107 · Geeklog · Geeklog
Name of the Vulnerable Software and Affected Versions: Geeklog version 2.2.2 Description: The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Rule and Route parameters of "/admin/router.php" API endpoint. This enables the execution of...
PT-2023-11501 · Jymusic · Jymusic
Name of the Vulnerable Software and Affected Versions: Jymusic version 2.0.0 Description: A cross-site request forgery CSRF issue allows attackers to execute arbitrary code via the "/admin.php?s=/addons/config.html&id=6" API endpoint to modify payment information. This can be achieved by exploiti...
PT-2022-27198 · Tenda · Tenda I21
Name of the Vulnerable Software and Affected Versions: Tenda i21 version 1.0.0.144656 Description: The issue is related to a Buffer Overflow that can be triggered via the "/goform/setUplinkInfo" API endpoint. This allows for potential exploitation. Recommendations: For Tenda i21 version...
PT-2022-25879 · 74Cmsse · 74Cmsse
Name of the Vulnerable Software and Affected Versions: 74cmsSE version 3.12.0 Description: The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. This is achieved through the /api/admin/notice/add API endpoint. Recommendations: For...
PT-2022-25892 · Unknown · Clippercms
Name of the Vulnerable Software and Affected Versions: ClipperCMS version 1.3.3 Description: The issue is related to a Server-Side Request Forgery SSRF that can be exploited via the rss url news parameter at the "/manager/index.php" API endpoint. Recommendations: For ClipperCMS version 1.3.3, avo...
PT-2022-24364 · Tenda · Tenda Ac18
Name of the Vulnerable Software and Affected Versions: Tenda AC18 router versions 15.03.05.05 through 15.03.05.19 Description: A stack overflow issue was discovered via the time parameter at the "/goform/saveParentControlInfo" API endpoint. Recommendations: For versions 15.03.05.05 through...
PT-2021-5345
Name of the Vulnerable Software and Affected Versions ForgeRock Access Management AM Core Server versions prior to 7.0 ForgeRock OpenAM version 14.6.3 and earlier Description The issue is related to a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. This...