11 matches found
EUVD-2021-27083
Malware in sbrugna...
CVE-2025-49544 ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference 'XXE' vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or...
GHSA-VH6J-WV25-8QXR Flow Bugfix Releases for Entity Security
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...
Flow Bugfix Releases for Entity Security
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...
Information Disclosure
neos/flow is vulnerable to Information Disclosure. The vulnerability is due to entity security not properly integrating with the doctrine query cache, allowing users to reuse cached SQL queries built for other users based on their roles rather than their specific properties, potentially revealing...
GHSA-9CW3-J7WG-JWJ8 Neos Flow Information disclosure in entity security
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...
Neos Flow Information disclosure in entity security
If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user like the company he belongs to, entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from...
Exposure of Sensitive Information to an Unauthorized Actor in Direct Web Remoting
The 1 DOMConverter, 2 JDOMConverter, 3 DOM4JConverter, and 4 XOMConverter functions in Direct Web Remoting DWR through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity reference,...
CVE-2019-14549
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity available to all the users. A malicious user can inject JavaScript in these values of an entity, thus stealing user cookies when someone visits the publicly accessible...
Flow Bugfix Releases for Entity Security
More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...
Flow Bugfix Releases for Entity Security
More info at https://www.neos.io/blog/flow-bugfix-releases-for-entity-security.html...