Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the API endpoints responsible for updating and deleting inventory item attachments. An attacker can access or modify attachments belonging to other users by sending crafted requests as an authenticated user...

CVE-2025-53108

CVE-2025-53108 (HomeBox) : A missing authorization check in the HomeBox API endpoints for updating and deleting inventory item attachments allows authenticated users to act on attachments owned by others, leading to potential unauthorized data manipulation or loss of inventory data. The issue is ...

CVE-2025-53108 HomeBox Missing User Authorization

HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item...

Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns

Cybersecurity researchers are calling attention to phishing campaigns that impersonate popular brands and trick targets into calling phone numbers operated by threat actors. "A significant portion of email threats with PDF payloads persuade victims to call adversary-controlled phone numbers,...

PT-2025-27638 · Homebox · Homebox

Name of the Vulnerable Software and Affected Versions: HomeBox versions prior to 0.20.1 Description: The issue is related to a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform...

CVE-2025-53268

Cross-Site Request Forgery CSRF vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Cross Site Request Forgery.This issue affects Import external attachments: from n/a through = 1.5.12...

Malicious code in smart-attachments (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d7c36907a46d56559df062e1afb7ca8644198d352f1a8b43e59c60cad5da43ea Any computer that has this package installed or running should be considered...

MAL-2025-5328 Malicious code in smart-attachments (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d7c36907a46d56559df062e1afb7ca8644198d352f1a8b43e59c60cad5da43ea Any computer that has this package installed or running should be considered...

CVE-2025-5966

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report...

CVE-2025-53268

Cross-Site Request Forgery CSRF vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Cross Site Request Forgery.This issue affects Import external attachments: from n/a through = 1.5.12...

CVE-2025-53268 WordPress Import external attachments plugin <= 1.5.12 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in ryanpcmcquen Import external attachments allows Cross Site Request Forgery. This issue affects Import external attachments: from n/a through 1.5.12...

WordPress plugin Import external attachments 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site request forgery vulnerability exists i...

PT-2025-27175 · Unknown · Import External Attachments

Name of the Vulnerable Software and Affected Versions: ryanpcmcquen Import external attachments versions 1.5.12 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that affects the Import external attachments feature, allowing unauthorized requests to be made on...

WordPress Download Attachments plugin Improper Access Control Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An improper access control vulnerability exists in the WordPress Download Attachments plugin that stems from a user control key leading to an authorization bypass, no details of...

CVE-2025-5966

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report...

CVE-2025-5966

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report...

CVE-2025-5966 Stored XSS

Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report...

Cross-Site Scripting (XSS)

dnn.platform is vulnerable to cross-site scripting XSS. The vulnerability is due to improper input validation and sanitization in the Activity Feed Attachments endpoint, allowing malicious scripts to be injected and rendered...

CVE-2025-52485

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue...

CVE-2025-49995

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through = 1.3.1...