Lucene search
K

21 matches found

Github Security Blog
Github Security Blog
added 2026/05/08 7:38 p.m.10 views

Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts

Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts Affected Component Folder creation endpoint and form model: - backend/openwebui/models/folders.py lines 72-77, FolderForm with extra='allow' - backend/openwebui/models/folders.py lines 95-106,...

5CVSS6AI score0.00287EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2025/03/31 2:0 p.m.47 views

CVE-2024-12021

CVE-2024-12021 affects Coverity versions prior to 2024.9.0 and is a stored cross-site scripting (XSS) vulnerability in various administrative interfaces. The underlying impact, as stated, can include the compromise of local accounts managed by the Coverity platform and other standard XSS effects....

8.5CVSS5.3AI score0.00368EPSS
Exploits0References1
OSV
OSV
added 2024/11/15 8:48 p.m.24 views

GHSA-8FH4-942R-JF2G LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php

Summary A Stored Cross-Site Scripting XSS vulnerability in the "Services" tab of the Device page allows authenticated users to inject arbitrary JavaScript through the "descr" parameter when adding a service to a device. This vulnerability could result in the execution of malicious code in the...

7.5CVSS5.3AI score0.00449EPSS
Exploits1References4
NVD
NVD
added 2024/09/26 5:15 p.m.14 views

CVE-2024-45982

A host header injection vulnerability in scheduleR v0.0.18 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts...

8.8CVSS0.00347EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/09/26 12:0 a.m.16 views

CVE-2024-45980

A host header injection vulnerability in MEANStore 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts...

0.00385EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/09/26 12:0 a.m.10 views

CVE-2024-45979

A host header injection vulnerability in Lines Police CAD 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts...

7.4AI score0.00385EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/09/26 12:0 a.m.16 views

CVE-2024-45979

A host header injection vulnerability in Lines Police CAD 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts...

0.00385EPSS
Exploits0References1
CVE
CVE
added 2024/09/26 12:0 a.m.40 views

CVE-2024-45979

Affected software: Lines Police CAD 1.0. The issue is a host header injection that lets an attacker cause a crafted password reset link to reveal a password reset token, enabling arbitrary password resets and account compromise through user interaction. This vulnerability is documented in multipl...

8.8CVSS7.2AI score0.00385EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2024/09/09 9:31 p.m.25 views

Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references. Original Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token perio...

4.8CVSS5.6AI score0.00393EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2024/09/09 9:31 p.m.18 views

GHSA-57RH-GR4V-J5F6 Duplicate Advisory: Keycloak Uses a Key Past its Expiration Date

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xmmm-jw76-q7vg. This link is maintained to preserve external references. Original Description A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token perio...

6.3CVSS5.2AI score0.00393EPSS
Exploits0References6
NVD
NVD
added 2024/09/09 7:15 p.m.56 views

CVE-2024-7318

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds default. Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passco...

4.8CVSS0.00393EPSS
Exploits0References4
CVE
CVE
added 2024/09/09 6:50 p.m.283 views

CVE-2024-7318

CVE-2024-7318 (Keycloak) describes an OTP expiry flaw: when using FreeOTP with the default 30-second token period, expired codes can still be used, effectively making OTPs valid for 60 seconds. This creates an attack window and doubles the number of valid OTPs at any time, potentially allowing ac...

4.8CVSS5.2AI score0.00393EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2024/09/09 2:12 p.m.23 views

CVE-2024-7318

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds default. Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passco...

4.8CVSS6.8AI score0.00393EPSS
Exploits0References3
CVE
CVE
added 2024/08/23 12:0 a.m.39 views

CVE-2024-42915

Summary: CVE-2024-42915 is a host header injection vulnerability in Staff Appraisal System v1.0. Affected component: the password reset flow within Staff Appraisal System. Root cause/impact: attackers can induce a user to click a crafted password reset link to obtain a password reset token, enabl...

8CVSS7.4AI score0.00408EPSS
Exploits0References2
NVD
NVD
added 2022/10/31 9:15 p.m.21 views

CVE-2022-40289

The application was vulnerable to an authenticated Stored Cross-Site Scripting XSS in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files...

9CVSS0.00598EPSS
Exploits0References1
Prion
Prion
added 2022/10/31 9:15 p.m.18 views

Cross site scripting

The application was vulnerable to an authenticated Stored Cross-Site Scripting XSS in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files...

6CVSS7.8AI score0.00598EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2022/10/31 8:7 p.m.6 views

CVE-2022-40289 Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.

The application was vulnerable to an authenticated Stored Cross-Site Scripting XSS in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files...

5.9AI score0.00598EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/01/31 12:0 a.m.6 views

CVE-2022-22561

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts...

9.8CVSS7.4AI score0.01355EPSS
Exploits0References2Affected Software1
Wired Threat Level
Wired Threat Level
added 2019/05/15 6:17 p.m.56 views

Google Will Replace Titan Security Key Over a Bluetooth Flaw

Google will replace any Titan BLE branded security key, after disclosing that a nearby attacker could use it to compromise your accounts...

2.2AI score
Exploits0
Talos Blog
Talos Blog
added 2018/11/05 8:55 a.m.114 views

Persian Stalker pillages Iranian users of Instagram and Telegram

This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla. Introduction State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging...

0.6AI score
Exploits0
Rows per page
Query Builder