59 matches found
CVE-2026-2415
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...
GHSA-R8P8-QW9W-J9QV pretix unsafely evaluates variables in emails
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate informati...
PYSEC-2026-110
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...
CVE-2026-2415
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...
CVE-2026-2415
The CVE-2026-2415 affects pretix email templates where placeholders are rendered insecurely. Two issues are described: (1) information exfiltration via malicious placeholder names (e.g., {{event.init .code .co_filename}}) that can leak config data, including passwords or API keys, due to incomple...
CVE-2026-2415 Unsafe variable evaluation in email templates
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...
EUVD-2025-197968
The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order...
PT-2025-47284
Name of the Vulnerable Software and Affected Versions Live sales notification for WooCommerce plugin for WordPress versions prior to 2.3.39 Description The Live sales notification for WooCommerce plugin for WordPress is affected by a missing authorization issue. The getOrders function does not ha...
EUVD-2014-7520
Malware in sbrugna...
CVE-2025-3554
A vulnerability was found in phpshe 1.8. It has been rated as problematic. This issue affects some unknown processing of the file api.php?mod=cron&act=buyer. The manipulation of the argument act leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to...
PT-2025-16207 · Phpshe · Phpshe
Name of the Vulnerable Software and Affected Versions: phpshe version 1.8 Description: A problem was found in the processing of the file "api.php?mod=cron&act=buyer". The manipulation of the act argument leads to cross-site scripting. The attack may be initiated remotely. Recommendations: For...
Malicious code in b2b-buyer-portal (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5c8aef2e688f2677377a3cd234067c470e946e9197929d9b9f8fed81a6774669 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2024-8964 Malicious code in b2b-buyer-portal (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5c8aef2e688f2677377a3cd234067c470e946e9197929d9b9f8fed81a6774669 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Message board scams
Marketplace fraud is nothing new. Cybercriminals swindle money out of buyers and sellers alike. Lately, weve seen a proliferation of cybergangs operating under the Fraud-as-a-Service model and specializing in tricking users of online marketplaces, in particular, message boards. Criminals are...
localcarbuyer.com.au Cross Site Scripting vulnerability OBB-3879355
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Payment EX vulnerable to information disclosure
Overview Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version...
CVE-2024-0492
A vulnerability classified as critical was found in Kashipara Billing Software 1.0. Affected by this vulnerability is an unknown functionality of the file buyerdetailsubmit.php of the component HTTP POST Request Handler. The manipulation of the argument gstnno leads to sql injection. The attack c...
PT-2024-15609 · Unknown · Kashipara Billing
Name of the Vulnerable Software and Affected Versions: Kashipara Billing Software version 1.0 Description: A critical issue was found in the HTTP POST Request Handler component, specifically in the file buyer detail submit.php. The manipulation of the gstn no argument leads to sql injection. This...
Kashipara Billing Software SQL Injection Vulnerability
Kashipara Billing Software is an application from Kashipara India. Kashipara Billing Software version 1.0 suffers from a SQL injection vulnerability that stems from a SQL injection vulnerability in gstnno of the Buyerdetailsubmit.php file...
CVE-2023-49633
Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'buyeraddress' parameter of the buyerdetailsubmit.php resource does not validate the characters received and they are sent unfiltered to the database...