52 matches found
CVE-2021-47778
CVE-2021-47778 affects GetSimple CMS My SMTP Contact Plugin 1.1.2. A PHP code injection vulnerability exists that allows an authenticated administrator to inject arbitrary PHP code via plugin configuration parameters, resulting in remote code execution on the server. The Red Hat and NVD/NVD-deriv...
EUVD-2024-51470
Malicious code in bioql PyPI...
The vulnerability of the Email Contact module in the Drupal CMS system allows attackers to bypass security restrictions and execute a forced browsing attack.
The vulnerability of the Email Contact module in the Drupal CMS system is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to bypass security restrictions and execute a Forceful Browsing attack...
CVE-2024-13256
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4...
CVE-2024-13256
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4...
CVE-2024-13256 Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4...
CVE-2024-13256 Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
Insufficient Granularity of Access Control vulnerability in Drupal Email Contact allows Forceful Browsing.This issue affects Email Contact: from 0.0.0 before 2.0.4...
CVE-2024-13256
CVE-2024-13256 concerns Drupal’s Email Contact module. The issue is an insufficent granularity of access control that can enable forceful browsing to the mail-sending form. Affected versions are 0.0.0 through 2.0.4. Potential impact is access restriction bypass, enabling an attacker to trigger em...
Drupal 安全漏洞
Drupal is an open source content management system developed in the PHP language by the Drupal community. A security vulnerability exists in Drupal Email Contact prior to version 2.0.4, which stems from the inclusion of an insufficient access control granularity vulnerability...
apollo-portal has potential unauthorized access issue
Impact A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. Patches The issue was addressed with an input parameter check in...
DRUPAL-CONTRIB-2024-020
The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...
PT-2024-10347 · Drupal · Email Contact
Name of the Vulnerable Software and Affected Versions: Email Contact versions 0.0.0 through 2.0.4 Description: The issue is related to insufficient granularity of access control in the Email Contact module for Drupal, allowing forceful browsing. This can be exploited by a remote attacker to bypas...
Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...
GHSA-PCFX-G2J2-F6F6 Docassemble HTML and javascript injection
Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain tags allowing JavaScript to execute on the page. Patches The vulnerability has been patched in version 1.4.97 of the master...
GHSA-7WXF-R2QV-9XWR Docassemble open redirect
Impact It is possible to create a URL that acts as an open redirect. Patches The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched. Workarounds If upgrading is not possible, manually apply the changes of 4801ac7 and restart the...
PT-2023-32900 · Unknown · Code-Projects Client Details System
Name of the Vulnerable Software and Affected Versions: code-projects Client Details System version 1.0 Description: A vulnerability has been found in the code-projects Client Details System, affecting the file /admin/regester.php of the component HTTP POST Request Handler. The manipulation of the...
GHSA-475V-PQ2G-FP9G s2n-quic potential denial of service via crafted stream frames
Impact An issue in s2n-quic could result in unnecessary resource utilization when peers open streams beyond advertised limits. Impacted versions: = v1.30.0. Patches The patch is included in v1.31.0 1. Workarounds There is no workaround. Applications using s2n-quic should upgrade to the most recen...
matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
Impact It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Patches Please upgrade to 1.0.1. Workarounds You can set the matrixHandler.eventCacheSize config value to 0 to workaround this...
GHSA-8274-H5JP-97VR Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack
Impact Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a Laminas\Diactoros\Uri instance associated with the incoming server request modified to reflect values from X-Forwarded-...
GHSA-4W8F-HJM9-XWGF Path Traversal in django-s3file
Impact It was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. The issue was discovered by the maintainer. There were no reports of the vulnerability being known to or exploited by a third party, before the release of the patch. If the AWSLOCATION setting...