Lucene search
K

16 matches found

EUVD
EUVD
added yesterday2 views

EUVD-2026-41641

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

6AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-28705

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

6AI score
Exploits0References5
CVE
CVE
added 2026/05/14 6:44 p.m.27 views

CVE-2026-44522

Vulnerability summary (CVE-2026-44522) Note Mark up to 0.19.3 allows authenticated users to upload assets with a crafted X-Name header containing directory traversal. The asset name is stored in the database without validation, and is later passed directly to filepath.Join()/path.Join() during ex...

8.6CVSS6AI score0.00495EPSS
Exploits0References1
OSV
OSV
added 2026/05/06 5:54 p.m.6 views

GHSA-33M5-HQP9-97PW Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Summary AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking whether the requesting user has viewAssets or viewPeerAssets permission ...

7.1CVSS6AI score0.00324EPSS
Exploits0References4
Veracode
Veracode
added 2025/12/29 9:51 a.m.5 views

Cross-site Scripting (XSS)

ibexa/admin-ui is vulnerable to cross-site scripting XSS. The vulnerability is due to improper escaping of user-controlled input in image asset names, content language names, and future publishing within the back office, which allows an attacker with editor or administrator-level permissions to...

5.7AI score
Exploits0
Veracode
Veracode
added 2025/12/24 10:11 a.m.5 views

Cross-Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled input in image asset names, content language names, and future publishing features, which allows an attacker with back-office editor or administrator privilege...

5.5AI score
Exploits0
Github Security Blog
Github Security Blog
added 2025/10/17 5:59 p.m.9 views

ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically mean...

6.4AI score
Exploits0References3Affected Software1
OSV
OSV
added 2025/10/17 5:59 p.m.1 views

GHSA-2MX6-FQ24-G2MH ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically mean...

4.8CVSS6.4AI score
Exploits0References3
Snyk
Snyk
added 2025/10/17 5:58 p.m.3 views

Cross-site Scripting (XSS)

Overview ezsystems/ezplatform-admin-ui is a package that is part of the eZ Platform Admin UI Bundle. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the reschedule/cancel-schedule modal in the back office interface. An attacker can execute arbitrary scripts by...

8.3CVSS5.5AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/10/17 5:58 p.m.8 views

ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal

Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically mean...

6.4AI score
Exploits0References3Affected Software1
NVD
NVD
added 2025/05/28 6:15 p.m.10 views

CVE-2025-31500

Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name...

7.2CVSS0.00202EPSS
Exploits0References2
OSV
OSV
added 2025/05/28 6:15 p.m.2 views

DEBIAN-CVE-2025-31500

Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name...

6.1CVSS5AI score0.00202EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/05/28 12:0 a.m.9 views

CVE-2025-31500

Best Practical RT Request Tracker 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name...

7.2CVSS6.1AI score0.00202EPSS
Exploits0References2
CNNVD
CNNVD
added 2022/04/19 12:0 a.m.3 views

Liferay Portal和Liferay DXP 跨站脚本漏洞

Liferay Portal and Liferay DXP are both products of Liferay Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB and JMS, and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP is a...

5.4CVSS6AI score0.00546EPSS
Exploits0References3
OSV
OSV
added 2018/09/28 8:29 p.m.5 views

CVE-2018-9081

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content...

4.7CVSS5.3AI score0.0055EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2018/09/28 8:29 p.m.6 views

CVE-2018-9081

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file name used for assets accessible through the Content Viewer application are vulnerable to self cross-site scripting self-XSS. As a result, adversaries can add files to shares accessible from the Content...

4.7CVSS4.5AI score0.0055EPSS
Exploits0References2Affected Software3
Rows per page
Query Builder