26 matches found
PT-2026-45047
Name of the Vulnerable Software and Affected Versions Koel versions prior to 9.3.5 Description Koel fails to validate individual episode enclosure URLs extracted from RSS XML feeds, despite validating the main podcast feed URL. These unvalidated URLs are stored in the database and subsequently...
CVE-2026-0508
The CVE refers to SAP BusinessObjects Business Intelligence Platform where an authenticated, high-privileged attacker can insert a malicious URL in the app. When a victim clicks it, an unvalidated redirect to the attacker-controlled domain occurs, potentially downloading malicious content. The im...
CVE-2025-64178
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be...
EUVD-2025-37862
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be...
Jellysweep 代码问题漏洞
Jellysweep is a smart cleanup tool for media servers by Jonah Personal Developer. A code issue vulnerability exists in Jellysweep 0.12.1 and prior versions, which stems from an unvalidated URL parameter in the /api/images/cache endpoint that could result in the download of arbitrary content...
EUVD-2017-6489
Malware in sbrugna...
CVE-2025-1508 WP Crowdfunding <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the downloaddata action in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to download...
WordPress WP Crowdfunding plugin <= 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Post Content Download vulnerability
Missing Authorization to Authenticated Subscriber+ Post Content Download vulnerability discovered by Krzysztof Zając in WordPress Plugin WP Crowdfunding versions = 2.1.14...
CVE-2024-9654 Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verifyguestemail' function to ensure the requesting user is the intended recipient of the purchase receipt. This...
GHSA-H9WW-WJG4-JVVG Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module
The Translation module before v2.0.58 from Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via...
SUSE SLES12 Security Update : curl (SUSE-SU-2021:2425-1)
The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2425-1 advisory. - CVE-2021-22925: TELNET stack contents disclosure again. bsc1188220 - CVE-2021-22924: Bad connection reuse due to flawed path name...
CVE-2020-9979
A trust issue was addressed by removing a legacy API. This issue is fixed in iOS 14.0 and iPadOS 14.0, tvOS 14.0. An attacker may be able to misuse a trust relationship to download malicious content...
Unauthorized Access Vulnerability in Kairos Helpdesk System
The Kaixin Helpdesk Helpdesk helps IT to collect the problems handled on a daily basis and generate reports to quantify the work. An unauthorized access vulnerability exists in the Qixing Helpdesk system, which can be exploited by an attacker to download system content without authorization...
CVE-2017-5096
Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...
CVE-2017-5096
Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...
Input validation
Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...
UBUNTU-CVE-2017-5096
Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...
CVE-2017-5096
CVE-2017-5096 affects Google Chrome for Android. The issue is described as insufficient policy enforcement during navigation between schemes, enabling a remote attacker to cause a cross-origin content download via a crafted HTML page and is associated with Android intents. The Chrome 60 release (...
CVE-2017-5096
Insufficient policy enforcement during navigation between different schemes in Google Chrome prior to 60.0.3112.78 for Android allowed a remote attacker to perform cross origin content download via a crafted HTML page, related to intents...
CVE-2017-15014
OpenText Documentum Content Server formerly EMC Documentum Content Server through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When an authenticated user uploads content to the...