13 matches found
CVE-2026-40582
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...
Keyfactor SignServer 安全漏洞
Keyfactor SignServer is a digital signature engine from Keyfactor USA. A security vulnerability exists in Keyfactor SignServer versions prior to 7.2, which stems from an error in the container startup logic and could result in a reset configuration to allowany...
UBUNTU-CVE-2025-62168
Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a script to bypass browser security protections and learn the credentials a trusted client uses to...
CVE-2025-53251
Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through 7.2...
CVE-2025-53251
CVE-2025-53251 pertains to WordPress Pin WP theme versions earlier than 7.2, where an Unrestricted Upload of File with Dangerous Type enables uploading a web shell to the web server. The issue affects Pin WP
UBUNTU-CVE-2024-31227
Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users...
PT-2023-5994 · Fortinet · Fortimanager +1
Name of the Vulnerable Software and Affected Versions: Fortinet FortiManager versions 7.4.0 and before 7.2.3 Fortinet FortiAnalyzer versions 7.4.0 and before 7.2.3 Description: The issue is related to the implementation of client-side security features. It may allow a remote attacker with low...
PT-2022-20714 · Proxmox · Proxmox Virtual Environment
Name of the Vulnerable Software and Affected Versions: Proxmox Virtual Environment versions prior to 7.2-3 Description: A reflected cross-site scripting XSS issue allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under the path "/api2/html/". This enables...
CVE-2022-26114
An improper neutralization of input during web page generation vulnerability CWE-79 in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting XSS attack via sending specially crafted mail messages...
CVE-2016-1595
LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language HQL injection attacks and obtain sensitive information via the entityName parameter...
IBM Security QRadar SIEM Cross-Site Scripting Vulnerability
IBM Security QRadar SIEM is an IBM USA solution that consolidates log-sourced event data from thousands of devices and applications dispersed throughout the network. The solution stores each event in its raw form and then performs instant correlation of events to differentiate between actual...
gc: malloc() and calloc() overflows
Multiple integer overflows in the 1 GCgenericmalloc and 2 calloc functions in malloc.c, and the 3 GCgenericmallocignoreoffpage function in mallocx.c in Boehm-Demers-Weiser GC libgc before 7.2 make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows...