Blind SQL Injection

Zabbix is vulnerable to blind SQL injection. The vulnerability is due to improper sanitization of the sortfield parameter in include/classes/api/CApiService.php, which allows a low-privileged user with API access to execute arbitrary SQL select queries and exfiltrate database data through...

CVE-2025-61907

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information tha...

EUVD-2020-26511

Malware in sbrugna...

EUVD-2023-55481

Malicious code in bioql PyPI...

CVE-2025-27213

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge ADB and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro Version 1.5.18 and earlier UniFi Connect Display Versio...

CVE-2022-22109

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting XSS vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the...

CVE-2021-25968

In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field...

K000149092: PostgreSQL vulnerability CVE-2024-10978

Security Advisory Description Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises wh...

DEBIAN-CVE-2024-49369

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted clust...

Breaking the Chain of Data Access: The Importance of Separating Human and Application Users

Data, the lifeblood of any organization, relies on the database as its beating heart. As a result, businesses invest heavily in designing and monitoring all access to it. In traditional literature, there are two types of users: administrative users, who manage the entire lifecycle of a database...

Authentication flaw

The JMX Console within the Rockwell Automation Pavilion8 is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

GHSA-JR37-66PJ-36V7 Cross-site Scripting in DayByDay CRM

In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting XSS vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the...

CVE-2021-38462

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 does not enforce an efficient password policy. This may allow an attacker with obtained user credentials to enumerate passwords and impersonate other application users and perform operations on their behalf...

Node.js Multiple Vulnerabilities (October 12th 2021 Security Releases)

The version of Node.js installed on the remote host is prior to 12.22.7, 14.18.1 or 16.11.1. It is, therefore, affected by multiple HTTP smuggling vulnerabilities. An unauthenticated, remote attack could exploit these to bypass security controls, gain unauthorized access to sensitive data and...

Unspecified vulnerability exists in IR615 Router (CNVD-2021-82943)

The IR615 Router is a 4G industrial router from Rimu Technologies, China. The IR615 Router has a security vulnerability that could be exploited by an attacker to obtain user credentials to enumerate passwords and emulate other application users and perform actions on their behalf...

PEEL-CSRF

The request appears to be vulnerable to cross-site request forgery CSRF attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however, it may facilitate the exploitation of other vulnerabilities affecting application users. The...

CVE-2020-16242

The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting XSS, which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts...

CVE-2018-15614

The CVE-2018-15614 entry concerns a stored cross-site scripting (XSS) vulnerability in the one-X Portal component of Avaya IP Office. The issue allows an authenticated user to inject XSS via fields in the Conference Scheduler Service, potentially affecting other application users. Affected versio...

OpenText Document Sciences xPression 4.5SP1 Patch 13 Cross Site Scripting Vulnerability

OpenText Document Sciences xPression version 4.5SP1 Patch 13 suffers from a cross site scripting vulnerability in the XPressoDoc functionality. Title: OpenText Document Sciences xPression formerly EMC Document Sciences xPression - Cross-Site Scripting Author: Marcin Woloszyn Date: 27. September...