52 matches found
GHSA-XQ4J-G85Q-WF97 REDAXO has reflected XSS backend packages API via function parameter (CSRF token required)
Summary A reflected XSS vulnerability has been identified in the REDAXO backend. The function parameter is concatenated into an API error message and rendered without HTML escaping. --- Details Root cause User input function is injected into an exception message, then rendered by rexview::error...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the type parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of the backend session by crafting a...
CVE-2025-71241 SPIP < 4.3.6 Cross-Site Scripting in Private Area
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting XSS in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen...
CVE-2026-23598
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
CVE-2026-23598
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
CVE-2026-23598
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
CVE-2026-23598 Unauthenticated Information Disclosure in application API allows sensitive system information exposure
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
CVE-2026-23598
CVE-2026-23598 involves vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API. The issue could allow an unauthenticated remote attacker to obtain sensitive information, including user accounts, roles, and system configuration, and to gain insight into internal se...
CVE-2026-23597 Unauthenticated Information Disclosure in application API allows sensitive system information exposure
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
CVE-2026-23597 Unauthenticated Information Disclosure in application API allows sensitive system information exposure
Vulnerabilities in the API error handling of an HPE Aruba Networking 5G Core server API could allow an unauthenticated remote attacker to obtain sensitive information. Successful exploitation could allow an attacker to access details such as user accounts, roles, and system configuration, as well...
PT-2026-20309
Name of the Vulnerable Software and Affected Versions HPE Aruba Networking 5G Core affected versions not specified Description Issues in the API error handling of an HPE Aruba Networking 5G Core server API may allow a remote, unauthenticated attacker to obtain sensitive information. Exploitation...
CVE-2026-22198
GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting XSS vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value for example, to /api/v1/ticket.php, an unauthenticated attacker can cause...
CVE-2026-22198
GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting XSS vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value for example, to /api/v1/ticket.php, an unauthenticated attacker can cause...
CVE-2026-22198
GestSup prior to 3.2.60 (with sources also citing up to 3.2.56 in ENISA EUVD) contains a pre-authentication stored XSS in the API error logging. An unauthenticated attacker can craft the X-API-KEY header (e.g., to /api/v1/ticket.php) to inject HTML/JavaScript into log entries; when an administrat...
CVE-2022-23730
The public API error causes for the attacker to be able to bypass API access control...
GESTSUP 跨站脚本漏洞
GESTSUP is a software application from the French company GESTSUP. It is 100% web-based SUPport MANAGEMENT software that manages tickets and devices. A cross-site scripting vulnerability exists in GESTSUP 3.2.56 and prior versions, which stems from a flaw in the API error logging functionality th...
CVE-2025-13978 Generation of Error Message Containing Sensitive Information in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests...
EUVD-2018-4271
Malware in sbrugna...
EUVD-2018-21590
Malware in sbrugna...
EUVD-2021-0155
Malware in sbrugna...