Lucene search
K

319 matches found

Cvelist
Cvelist
added 2025/05/13 9:17 a.m.25 views

CVE-2025-4646 A high privilege user is able to create and use a valid admin API token in centreon-web

Incorrect Authorization vulnerability in Centreon web API Token creation form modules allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4...

7.2CVSS0.00377EPSS
Exploits0References2
CVE
CVE
added 2025/05/13 9:17 a.m.47 views

CVE-2025-4646

Centreon Web (API Token creation form modules) is affected by CVE-2025-4646: an Improper Privilege Management vulnerability that can enable privilege escalation. The issue exists in Centreon Web versions 24.04.0 up to, but not including, 24.04.10 and 24.10.0 up to, but not including, 24.10.4. Roo...

7.2CVSS6.3AI score0.00377EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2025/05/08 12:0 a.m.111 views

CVE-2025-47730

The TeleMessage archiving backend (versions through 2025-05-05) is affected by an authentication-side flaw where the API endpoint used to request an authentication token accepts calls from the TM SGNL (Archive Signal) app using hardcoded credentials (user: logfile, password: enRR8UVVywXYbFkqU#QDP...

7.5CVSS5.3AI score0.00323EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2025/04/18 5:15 p.m.16 views

CVE-2025-28059

An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke...

7.5CVSS0.00688EPSS
Exploits0References2
OSV
OSV
added 2025/04/09 1:9 p.m.4 views

GHSA-5PM7-CP8F-P2C2 wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities

Impact wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery CSRF vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing...

4.3CVSS7.9AI score
Exploits0References20
Positive Technologies
Positive Technologies
added 2025/03/29 12:0 a.m.5 views

PT-2025-03: Local Privilege Escalation in Mobile Security Framework (MobSF)

The vulnerability was identified in Mobile Security Framework MobSF , versions 4.3.0. The discovered vulnerability allows an attacker with minimal privileges to obtain an API token, potentially resulting in privilege elevation within the system. Vulnerability status: Confirmed by vendor Date of...

8.5CVSS6.8AI score0.00348EPSS
Exploits1References1
OSV
OSV
added 2025/03/20 10:15 a.m.4 views

CVE-2024-12880

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and acce...

6.5CVSS7.8AI score
Exploits0References1
CVE
CVE
added 2025/03/20 10:9 a.m.82 views

CVE-2024-12880

The CVE-2024-12880 entry concerns infiniflow/ragflow (RAGFlow-0.13.0) with a vulnerability in tenant ID handling that enables partial account takeover. If a user has access to multiple tenants, they can manipulate tenant access to query and obtain other tenants’ API tokens via endpoints: /v1/syst...

8.1CVSS7.9AI score0.00641EPSS
Exploits1References1Affected Software1
Packet Storm
Packet Storm
added 2025/03/10 12:0 a.m.242 views

Zabbix 6.0.32rc1 PHP Code Injection

Zabbix server version 6.0.32rc1 proof of concept remote code injection exploit. ============================================================================================================================================= | Title : Zabbix server v 6.0.32rc1 PHP Code Injection Vulnerability | |...

9.9CVSS8.3AI score0.78831EPSS
Exploits13
OSV
OSV
added 2025/02/05 9:14 p.m.9 views

GHSA-79F6-P65J-3M2M MobSF Local Privilege Escalation

Product: Mobile Security Framework MobSF Version: 4.3.0 CWE-ID: CWE-269: Improper Privilege Management CVSS vector v.4.0: 7.1 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N CVSS vector v.3.1: 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Description: MobSF has a functionality of dividing users ...

7.1CVSS6.5AI score0.00348EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2025/01/22 6:31 p.m.56 views

Incorrect permission check in Jenkins GitLab Plugin allows enumerating credentials IDs

The Jenkins GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and...

4.3CVSS6.1AI score0.00288EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2025/01/22 5:15 p.m.5 views

CVE-2025-24397

An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins...

4.3CVSS6.7AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/01/22 5:2 p.m.10 views

CVE-2025-24397

An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins...

4.4AI score0.00288EPSS
Exploits0References1
NVD
NVD
added 2024/11/22 8:15 p.m.35 views

CVE-2024-53253

Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ...

5.3CVSS0.00628EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/11/22 7:58 p.m.13 views

CVE-2024-53253 Sentry's improper error handling leaks Application Integration Client Secret

Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ...

5.3CVSS6.9AI score0.00628EPSS
Exploits0References3
CVE
CVE
added 2024/11/22 7:58 p.m.101 views

CVE-2024-53253

CVE-2024-53253 affects Sentry v24.11.0 (self-hosted); a specific error message could leak plaintext integration Client ID and Client Secret in an HTTP response when a failing third‑party response triggers select-requester.invalid-response during a Search UI async flow. The leak does not grant dat...

5.3CVSS5.2AI score0.00628EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2024/11/15 4:15 p.m.35 views

CVE-2024-49754

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...

7.5CVSS0.69818EPSS
Exploits1References2
OSV
OSV
added 2024/11/15 3:11 p.m.17 views

CVE-2024-49754 LibreNMS has a stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/api-access.inc.php

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...

7.5CVSS5.3AI score0.69818EPSS
Exploits1References4
NVD
NVD
added 2024/11/07 5:15 p.m.15 views

CVE-2024-48951

An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery SSRF on SOAR can be used to leak Logpoint's API Token leading to authentication bypass...

7.5CVSS0.00312EPSS
Exploits0References3
OSV
OSV
added 2024/11/07 5:15 p.m.6 views

CVE-2024-48951

An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery SSRF on SOAR can be used to leak Logpoint's API Token leading to authentication bypass...

7.5CVSS5.8AI score0.00312EPSS
Exploits0References3
Rows per page
Query Builder