Astra Linux - уязвимость в apache2

A encoding problem in the modproxy component of the Apache HTTP Server 2.4.59 and earlier versions allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication through crafted requests. It is recommended that users upgrade to version 2.4.60, as...

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

CVE-2011-10036

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

EUVD-2011-5267

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10036

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10036 Nagios XI < 2011R1.9 XSS via backend_url JavaScript Link Handler

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10036 Nagios XI < 2011R1.9 XSS via backend_url JavaScript Link Handler

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the handling of the "backendurl" JavaScript link. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

PT-2025-44527

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2011R1.9 Description The software is susceptible to cross-site scripting XSS due to inadequate validation or escaping of user-supplied input when handling the backend url JavaScript link. This could allow an attacke...

Nagios XI 安全漏洞

Nagios XI is a suite of IT infrastructure monitoring solutions from US-based Nagios. The solution supports monitoring and alerting of applications, services, operating systems, and more. A security vulnerability exists in Nagios XI versions prior to 2011R1.9, which stems from improper handling of...

EUVD-2022-24853

Malicious code in bioql PyPI...

Information Disclosure

ezsystems/ezpublish-legacy is vulnerable to Information Disclosure. The vulnerability is caused due to the module not properly checking access permissions when rendering the content tree menu. This allows the tree menu to display hidden items to unauthorized users if they access the backend URL...

Code injection

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, bu...

CVE-2022-1561 Crafted backend URLs in Lura Project

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, bu...

GHSA-H76R-VGF3-J6W5 October CMS auth bypass and account takeover

Impact An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie. - To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing. - Due to the logic of how this mechanism works, a targeted user...

October CMS auth bypass and account takeover

Impact An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie. - To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing. - Due to the logic of how this mechanism works, a targeted user...

QCMS Cross-Site Request Forgery Vulnerability

QCMS is an open source content management system CMS for creating responsive websites. A cross-site request forgery vulnerability exists in QCMS 3.0.1, which can be exploited by remote attackers to perform unauthorized operations with the help of the backend/user/admin/add.html URI...

Design/Logic Flaw

The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...

SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...