Lucene search
+L

14 matches found

euvd
euvd
added 2026/05/14 12:26 p.m.12 views

EUVD-2026-30269

Unsafe object reference IDOR in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee first names, last...

7.1CVSS5.7AI score0.00207EPSS
Exploits0References1
cvelist
cvelist
added 2026/02/16 12:32 p.m.35 views

CVE-2026-2556 cskefu Endpoint MediaController.java server-side request forgery

A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be...

6.5CVSS0.00313EPSS
Exploits1References4
vulnrichment
vulnrichment
added 2025/12/30 10:41 p.m.2 views

CVE-2023-54327 Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change

Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls...

9.8CVSS6.8AI score0.00621EPSS
Exploits2References4
cve
cve
added 2025/12/30 10:41 p.m.16 views

CVE-2023-54327

CVE-2023-54327 affects Tinycontrol LAN Controller 1.58a. An authentication bypass allows unauthenticated attackers to change admin passwords by sending a crafted request to the /stm.cgi endpoint, disabling access controls and modifying administrative credentials. Impacts are described as high (co...

9.8CVSS6.8AI score0.00621EPSS
Exploits2References4Affected Software1
cve
cve
added 2025/12/17 10:44 p.m.10 views

CVE-2023-53923

UliCMS 2023.1 is affected by a privilege‑escalation vulnerability in the UserController endpoint. An unauthenticated attacker can issue a crafted POST to /dist/admin/index.php to create a new admin account with full system access. Documents identify the vulnerable component and impact (unrestrict...

9.8CVSS6.8AI score0.00466EPSS
Exploits1References3Affected Software1
euvd
euvd
added 2025/10/03 8:7 p.m.18 views

EUVD-2025-24604

Malicious code in bioql PyPI...

5.4CVSS6.6AI score0.00255EPSS
Exploits1References4
nvd
nvd
added 2025/08/13 6:15 p.m.22 views

CVE-2025-45315

A cross-site scripting XSS vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter...

5.4CVSS0.00255EPSS
Exploits1References3
susecve
susecve
added 2025/08/06 2:53 a.m.4 views

SUSE CVE-2025-53513

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...

6.5CVSS7.2AI score0.00647EPSS
Exploits1References2
ptsecurity
ptsecurity
added 2023/10/18 12:0 a.m.5 views

PT-2023-29775 · Unknown · Thirty Bees Core

Name of the Vulnerable Software and Affected Versions: Thirty Bees Core version 1.4.0 Description: The issue is a reflected cross-site scripting XSS vulnerability. It allows attackers to execute arbitrary JavaScript in a user's web browser via a crafted payload. The vulnerability is exploited...

6.1CVSS6AI score0.00312EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2022/12/01 12:0 a.m.8 views

PT-2022-19101 · Unknown · Asith-Eranga Isic Tour Booking

Name of the Vulnerable Software and Affected Versions: asith-eranga ISIC tour booking versions prior to the version published on Feb 13th 2018 Description: An issue in asith-eranga ISIC tour booking allows attackers to gain sensitive information via the action parameter to "/system/user/modules/m...

7.5CVSS6.6AI score0.00782EPSS
Exploits1References5
ptsecurity
ptsecurity
added 2022/09/09 12:0 a.m.8 views

PT-2022-23911 · Unknown · Shirne Cms

Name of the Vulnerable Software and Affected Versions: Shirne CMS version 1.2.0 Description: The issue is related to a Path Traversal vulnerability that could cause arbitrary file read. This is possible via the /static/ueditor/php/controller.php endpoint. Recommendations: For Shirne CMS version...

6.5CVSS6.4AI score0.02998EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2022/09/02 12:0 a.m.12 views

PT-2022-23493 · Unknown · Kkfileview

Name of the Vulnerable Software and Affected Versions: kkFileView version 4.0.0 Description: The issue allows for arbitrary file deletion via the fileName parameter at the /controller/FileController.java endpoint. Recommendations: For kkFileView version 4.0.0, consider restricting access to the...

6.5CVSS6.3AI score0.00766EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2018/10/31 12:0 a.m.7 views

PT-2018-4938 · Red Hat · Jboss Bpm Suite

Name of the Vulnerable Software and Affected Versions: JBoss BPM Suite 6 Description: The issue allows remote attackers to perform a reflected XSS attack via dashbuilder. This can be achieved by enticing authenticated users, typically admins, to click on malicious links to the...

6.1CVSS6AI score0.0166EPSS
Exploits0References5
redhat
redhat
added 2018/02/13 3:48 p.m.6 views

Dashbuilder: Reflected XSS

JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder usually admins to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of...

6.1CVSS6.1AI score0.0166EPSS
Exploits0References4
Rows per page
Query Builder