13 matches found
EUVD-2024-46507
Malicious code in bioql PyPI...
CVE-2024-5270
Mattermost versions 9.5.x = 9.5.3, 9.7.x = 9.7.1, 9.6.x = 9.6.1 and 8.1.x = 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit...
Improper Access Control
Mattermost is vulnerable to Improper Access Control. The vulnerability is due to a failure to verify if the email signup configuration option is enabled when a user requests to switch from SAML to email, allowing users to switch their authentication method and potentially edit personal details...
CVE-2024-5270
Mattermost versions 9.5.x = 9.5.3, 9.7.x = 9.7.1, 9.6.x = 9.6.1 and 8.1.x = 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit...
CVE-2024-5270 SAML to email switch possible when email signin is disabled
Mattermost versions 9.5.x = 9.5.3, 9.7.x = 9.7.1, 9.6.x = 9.6.1 and 8.1.x = 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit...
CVE-2024-5270 SAML to email switch possible when email signin is disabled
Mattermost versions 9.5.x = 9.5.3, 9.7.x = 9.7.1, 9.6.x = 9.6.1 and 8.1.x = 8.1.12 fail to check if the email signup configuration option is enabled when a user requests to switch from SAML to Email. This allows the user to switch their authentication mail from SAML to email and possibly edit...
CVE-2024-5270
Mattermost vulnerable in multiple tracked versions (8.1.x <= 8.1.12; 9.5.x <= 9.5.3; 9.6.x <= 9.6.1; 9.7.x email switch. Impact: improper access control for authentication method and related data. Mitigation: upgrade to versions later than the listed fixed versions (as documented in PT-2...
ALPINE-CVE-2023-27043
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is...
Rocket.Chat: [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup
Description Due to a lack of sanitization and validation in parameter affected, we can input HTML Tag and system will render it into Email victim. Affected Endpoint https://chat.oas.greenhost.net/home Parameter : Name Step to produce In textbox name, input HTML code like "\”@x.y " And in Email,...
WordPress GoDaddy godaddy-email-marketing-sign-up-forms plugin cross-site request forgery vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in the WordPress GoDaddy godaddy-email-marketing-sign-up-for...
FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS
The vulnerable function is exposed to unauthenticated users over wpajaxnoprivfvwpflowplayeremailsignup ajax hook. It saves anything that user provides in email POST parameter. Send POST request to wp-admin/admin-ajax.php with body content: "action=fvwpflowplayeremailsignup&list=1&[email protected]"...
hermitageart.com XSS vulnerability
Open Bug Bounty ID: OBB-598465 Description| Value ---|--- Affected Website:| hermitageart.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...
Hiro: Cross site request forgery
An e-mail signup form does not check CSRF tokens. This would allow the creation of click-able links which perform an e-mail signup. Because the e-mail signup form does not pass any sensitive information, nor perform any state changes on behalf of a user, this is not a vector for attack...