16 matches found
CVE-2026-34411
Appsmith versions prior to 1.98 expose sensitive instance management API endpoints without authentication. Unauthenticated attackers can query endpoints like /api/v1/consolidated-api/view and /api/v1/tenants/current to retrieve configuration metadata, license information, and unsalted SHA-256...
CVE-2026-34411
Affected product: Appsmith prior to version 1.98. Root cause: unauthenticated access to instance management API endpoints (/api/v1/consolidated-api/view, /api/v1/tenants/current) that exposes configuration metadata, license information, and unsalted SHA-256 hashes of admin email domains. Impact: ...
CVE-2023-40191
Reflected cross-site scripting XSS vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...
EUVD-2025-34742
Mattermost has a Missing Authorization vulnerability...
EUVD-2024-0502
Malicious code in bioql PyPI...
Don’t use corporate email for your personal life
TL;DR People use whatever is convenient. Segregation of work and personal matters is a key part of security. Using corporate addresses tramples on this separation. Corporate email addresses should be treated with the same care as sensitive corporate information. Create an Acceptable Use Policy th...
GHSA-468X-FRCM-GHX6 Liferay Portal and Liferay DXP vulnerable to reflected Cross-site Scripting
Reflected cross-site scripting XSS vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...
CVE-2023-40191
Reflected cross-site scripting XSS vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...
CVE-2023-40191
Reflected cross-site scripting XSS vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...
FreeBSD : gitea -- block user account creation from blocked email domains (4061a4b2-4fb1-11ee-acc7-0151f07bc899)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4061a4b2-4fb1-11ee-acc7-0151f07bc899 advisory. - The Gitea team reports: check blocklist for emails when adding them to account 4061a4b2-4fb1-11ee-...
gitea -- block user account creation from blocked email domains
The Gitea team reports: check blocklist for emails when adding them to account...
SUSE CVE-2010-0463
Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests...
Packj - Large-Scale Security Analysis Platform To Detect Malicious/Risky Open-Source Packages
Packj pronounced package is a command line CLI tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports...
Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys
Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package...
LinkedIn: Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings]
Summary: Hey team, During the security assessment, I came across an endpoint - GET /voyager/api/voyagerOrganizationDashEmailDomainMappings, which is vulnerable to privilege escalation. A lower privileged user can abuse this to view the list of approved domains for email verification even though i...
Stolen Twitter Credentials Latest Dataset For Sale
Tens of millions of Twitter account records including cleartext passwords are up for sale on a black market site, the latest cache of bundled credentials for major online services to be made available. The Twitter records have been analyzed by LeakedSource, which said in a post yesterday that a...