PT-2025-25288 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 17.9 through 17.10.7 GitLab CE/EE versions 17.11 through 17.11.3 GitLab CE/EE versions 18.0 through 18.0.1 Description: The issue is related to improper output encoding in the snippet viewer functionality, leading to...

PT-2025-25289

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.0 through 18.0.2 Description An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions, HTML injection in the new search page could lead to account...

CVE-2025-47272

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session e.g., on a shared/public machine could...

CVE-2025-47289

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2025-47272

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session e.g., on a shared/public machine could...

CVE-2025-47289

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2025-47289

Summary: CVE-2025-47289 is a stored XSS in CE Phoenix (versions 1.0.9.9–1.1.0.2) where an attacker can inject JavaScript into the testimonial description. When an admin approves the testimonial, the script runs in the context of any visiting user, and cookies may be exfiltrated because they are n...

CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2025-47272 PhoenixCart Vulnerable to Account Deletion Without Password Confirmation

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session e.g., on a shared/public machine could...

CE Phoenix Cart 访问控制错误漏洞

CE Phoenix Cart is a free, open source e-commerce shopping cart software from CE Phoenix Cart Open Source. An access control error vulnerability exists in CE Phoenix Cart versions prior to 1.0.9.7 through 1.1.0.3, which stems from a lack of password revalidation when deleting an account, which...

PT-2025-23496 · Unknown · Ce Phoenix

Name of the Vulnerable Software and Affected Versions: CE Phoenix versions 1.0.9.9 through 1.1.0.2 Description: A stored cross-site scripting XSS issue was found in CE Phoenix, where an attacker can inject malicious JavaScript into the testimonial description field. If the shop owner approves the...

PT-2025-23491 · Unknown · Ce Phoenix

Name of the Vulnerable Software and Affected Versions: CE Phoenix eCommerce platform versions 1.0.9.7 through 1.1.0.3 Description: The issue allows logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session...

CVE-2024-9163

A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs...

CVE-2024-9163

Removed by vendor...

CVE-2025-0290

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. Under certain conditions, processing of CI artifacts metadata could cause background jobs to become unresponsive...

CVE-2024-29296

A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not...

CVE-2024-25415

A remote code execution RCE vulnerability in /admin/definelanguage.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php...

CVE-2024-0231

A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits...