492 matches found
CVE-2025-58052
CVE-2025-58052 affects the Galette web application (non-profit membership manager). From version 0.9.6 through 1.1.x, attackers with a group manager role can bypass access controls, enabling unauthorized access and changes despite RBAC. The issue requires privileged access initially, limiting exp...
CVE-2025-58052 Galette has groups managers access control bypass on Members
Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires...
CVE-2025-53922 Galette has access control bypass
Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue...
EUVD-2025-204544
Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue...
CVE-2025-67751 ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the EventEditor.php file. When creating a new event and selecting an event type, the ENtyid POST parameter is not sanitized. This allows an authenticated user with event managemen...
PT-2025-51357
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.0 Description A SQL injection issue exists in the EventEditor.php file of ChurchCRM. The EN tyid POST parameter, used when creating a new event and selecting an event type, is not properly sanitized. This allows...
A Reality Check on SBOM-Based Vulnerability Management: An Empirical Study and a Path Forward
The Software Bill of Materials SBOM is a critical tool for securing the software supply chain SSC, but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source...
EUVD-2025-198335
Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user...
Malicious code in perseus-procyon-hugo-ophiuchus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87cbc891ef57a039f013ea6cf1f8543491dfaf10476bd98ffc8f915a00739772 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Revive Adserver: IDOR Vulnerability in Banner Deletion
Summary I found an IDOR vulnerability in Revive Adserver's banner deletion endpoint that lets any Manager delete banners belonging to other Managers. The code validates access to the parent campaign but doesn't check if the user owns the specific banner being deleted. This means Manager A can...
Multiple Password Managers Vulnerable to Clickjacking Attacks
Overview Browser-extension password managers, which autofill sensitive information on websites, can be exposed to various clickjacking attacks. These attacks exploit the trust relationship between a web page and the user-interface elements injected by the extension. Recent studies show that...
How Blind and Low-Vision Users Manage Their Passwords
Managing passwords securely and conveniently is still an open problem for many users. Existing research has examined users' password management strategies and identified pain points, such as security concerns, leading to insecure practices. We investigate how Blind and Low-Vision BLV users tackle...
Security update for python-urllib3
This update for python-urllib3 fixes the following issues: CVE-2025-50181: Pool managers now properly control redirects when retries is passed bsc1244925 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...
EUVD-2016-7549
Malware in sbrugna...
EUVD-2016-7550
Malware in sbrugna...
EUVD-2016-9483
Malware in sbrugna...
EUVD-2021-0192
Malware in sbrugna...
EUVD-2022-3698
Malicious code in bioql PyPI...
EUVD-2025-12519
Malicious code in bioql PyPI...
EUVD-2025-19410
Malicious code in bioql PyPI...