389 matches found
CVE-2024-6841 CSRF in vanna-ai/vanna
A Cross-Site Request Forgery CSRF vulnerability exists in the latest commit 56b782bcefd2e59b19cd7ba7878b95f54884f502 of the vanna-ai/vanna repository. Two endpoints in the built-in web app that provide SQL functionality are implemented as simple GET requests, making them susceptible to CSRF...
CVE-2024-6841 CSRF in vanna-ai/vanna
A Cross-Site Request Forgery CSRF vulnerability exists in the latest commit 56b782bcefd2e59b19cd7ba7878b95f54884f502 of the vanna-ai/vanna repository. Two endpoints in the built-in web app that provide SQL functionality are implemented as simple GET requests, making them susceptible to CSRF...
CVE-2024-6841
The CVE-2024-6841 CSRF vulnerability affects the vanna-ai/vanna repository’s built‑in web app with two GET endpoints that execute SQL. Root cause: requests can trigger arbitrary SQL commands via CSRF without requiring authentication, enabling data alteration or deletion (read access not possible)...
CVE-2025-21517
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Web Runtime SEC. Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseO...
Stormshield Network Security 安全漏洞
Stormshield Network Security SNS is a next-generation UTM Unified Threat Management firewall from the French company Stormshield. A security vulnerability exists in Stormshield Network Security that stems from an attacker's ability to alter data by bypassing access restrictions through...
CVE-2024-37148 GLPI allows account takeover via SQL Injection in AJAX scripts
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrad...
MediaWiki suffers from an unspecified vulnerability (CNVD-2024-31365)
MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. It can be used to deploy in-house knowledge management and content management systems. MediaWiki has a security vulnerability that stems from the presence of cross-site request forgery CSRF,...
MediaWiki 安全漏洞
MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. It can be used to deploy in-house knowledge management and content management systems. MediaWiki has a security vulnerability that stems from the presence of cross-site request forgery CSRF,...
JVN#00442488: Multiple vulnerabilities in Ricoh Streamline NX PC Client
Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. Improper restriction of communication channel to intended endpoints CWE-923 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 6.3 CVE-2024-36252 ricoh-2024-000004 Use of hard-coded...
CVE-2024-31403
Cybozu Garoon 5.0.0–6.0.0 contains an incorrect authorization vulnerability that allows a remote authenticated attacker to alter and/or obtain Memo data due to improper restriction of memo access. Public sources (NVD, Red Hat, JVN, CNNVD, CNVD, CVE listings) confirm the impact and note the soluti...
CVE-2024-31403
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 6.0.0 allows a remote authenticated attacker to alter and/or obtain the data of Memo...
CVE-2024-31403
Incorrect authorization vulnerability in Cybozu Garoon 5.0.0 to 6.0.0 allows a remote authenticated attacker to alter and/or obtain the data of Memo...
BookingPress < 1.0.83 - Missing Authorization to Appointment Time Alteration
Description The BookingPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in versions up to, and including, 1.0.82. This makes it possible for unauthenticated attackers to alter the duration of appointments...
JVN#28869536: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Improper handling of data in Mail CWE-231 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Base Score 4.9 CVE-2024-31397 CyVDB-3167 Improper restriction on the output of some API CWE-201...
The vulnerability of the Forminator plugin of the WordPress content management system allows a hacker to alter arbitrary data and trigger a service failure.
The vulnerability of the Forminator plugin of the WordPress content management system is related to the lack of security measures for the SQL query structure. Exploiting this vulnerability allows a malicious actor to alter arbitrary data and cause service failures...
Mautic SQL Injection in dynamic Reports
Impact Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems. Patches Update t...
The vulnerability of the CRI-O Container Engine’s application programming interface allows a attacker to disclose confidential information or alter arbitrary data.
The vulnerability of the CRI-O Container Engine’s application programming interface, a software platform for managing clusters of virtual machines in Kubernetes, is related to improper access control. Exploiting this vulnerability can allow an attacker to disclose confidential information or alte...
CVE-2024-28039
Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service DoS condition...
CVE-2024-28039
Improper restriction of XML external entity references vulnerability exists in FitNesse all releases, which allows a remote unauthenticated attacker to obtain sensitive information, alter data, or cause a denial-of-service DoS condition...
BIT-DRUPAL-2022-25278
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules...