Lucene search
K

69 matches found

OSV
OSV
added 2023/08/21 8:41 p.m.34 views

GHSA-599V-H3Q5-G6R9 Pimcore Cross-site Scripting (XSS) vulnerability in DataObject datetime fields

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.6.8 or apply this patch manually...

5.4CVSS5.5AI score0.00503EPSS
Exploits1References5
Prion
Prion
added 2023/08/17 6:15 p.m.23 views

Remote code execution

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to...

6.5CVSS9AI score0.01535EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2023/07/14 8:39 p.m.51 views

CVE-2023-37462 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

9.9CVSS10AI score0.91346EPSS
Exploits1References3
OSV
OSV
added 2023/04/27 7:37 p.m.18 views

GHSA-X9XJ-PQMV-8JF7 Cross-site Scripting (XSS) in pimcore via DataObject Class date fields

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.21 or apply this patch manually...

4CVSS4.8AI score0.00403EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2023/04/27 5:15 p.m.25 views

SQL Injection in AssetController

Impact SQL injections in AssetController due to unsanitized concatenating strings in where clause. The attacker can dump database, alter data or perform dos on the backend database. Patches Update to version 10.5.21 or apply this patch manually...

8.8CVSS6.6AI score0.0091EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2023/04/27 5:12 p.m.23 views

GHSA-FQ95-RX4Q-QGG2 Cross-site Scripting (XSS) in Admin Login too many attempts notice

Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user. Furthermore, JavaScript...

6.1CVSS6.2AI score0.0109EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2023/04/27 5:11 p.m.34 views

SQL Injection in Admin Translations API

Impact SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any...

8.8CVSS9AI score0.00791EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2023/04/27 12:0 a.m.7 views

PT-2023-18883 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/pimcore versions prior to 10.5.21 Description: This issue is related to Cross-site Scripting XSS - Stored, which has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie ...

5.4CVSS4.2AI score0.00403EPSS
Exploits1References11
Github Security Blog
Github Security Blog
added 2023/04/03 6:58 p.m.31 views

Pimcore Perspective Editor vulnerable to stored cross-site scripting (XSS) in perspective name

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 1.5.1. Workarounds Apply the patch...

6.1CVSS5.6AI score0.00575EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2023/03/22 6:36 p.m.33 views

Pimcore Remote Code Execution vulnerability in Search function

Impact Attacker can get full DB and maybe RCE knowing the WEBROOT path Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch Workarounds Apply patch...

8.8CVSS8.4AI score0.65115EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2023/03/16 12:0 a.m.5 views

PT-2023-21566 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: Pimcore versions prior to 10.5.19 Description: Pimcore is an open source data and experience management platform. There is a theoretical possibility to inject custom SQL if the developer is using certain methods with input data and not doing...

7.9CVSS7.7AI score0.00855EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2023/03/07 11:20 p.m.7 views

CVE-2023-27476 XML External Entity (XXE) Injection in OWSLib

OWSLib is a Python package for client programming with Open Geospatial Consortium OGC web service interface standards, and their related content models. OWSLib's XML parser which supports both lxml and xml.etree does not disable entity resolution, and could lead to arbitrary file reads from an...

8.2CVSS8.2AI score0.00985EPSS
Exploits0References5
OSV
OSV
added 2023/03/07 6:13 p.m.26 views

CVE-2023-27480 Data leak through a XAR import XXE attack in xwiki-platform-xar-model

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host...

7.7CVSS7.3AI score0.00746EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2023/02/17 12:0 a.m.94 views

Microsoft Team Foundation Server and Azure DevOps Server 2020 RCE

The Microsoft Team Foundation Server or Azure DevOps install is missing security updates. It is, therefore, affected by a remote code execution vulnerability. Note all systems require a manual process of applying new resource group tasks. Nessus is unable to detect the state of the tasks at this...

7.5CVSS8.6AI score0.01408EPSS
Exploits0References2
OSV
OSV
added 2023/02/15 6:17 p.m.17 views

GHSA-76R7-H46W-463R Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug

Impact An attacker can use XSS to send a malicious script to an unsuspecting user. Patches Update to version 10.5.17 or apply this patch manually https://github.com/pimcore/pimcore/pull/14301.patch Workarounds Apply https://github.com/pimcore/pimcore/pull/14301.patch manually. References...

6.1AI score
Exploits0References2
CVE
CVE
added 2022/12/09 10:16 p.m.60 views

CVE-2022-23497

FreshRSS CVE-2022-23497 describes an information‑disclosure vulnerability where a remote user can access user configuration files. These files can contain hashed passwords for the web interface and, if using the API, hashed passwords for GReader and Fever APIs. Affected releases are prior to 1.20...

7.5CVSS7.1AI score0.00838EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2022/12/09 10:16 p.m.8 views

CVE-2022-23497 Insecure file access in FreshRSS

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords brypt with cost 9, salted of FreshRSS Web interface. If the API is used, the configuration might contain a...

6.5CVSS7.7AI score0.00838EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2022/12/06 12:0 a.m.6 views

PT-2022-16016 · Unknown · Daloradius

Name of the Vulnerable Software and Affected Versions: daloRADIUS versions 1.3 and prior Description: daloRADIUS is an open source RADIUS web management application. It is vulnerable to a combination of cross site scripting XSS and cross site request forgery CSRF vulnerabilities, which can lead t...

8.8CVSS8.2AI score0.00454EPSS
Exploits1References9
OSV
OSV
added 2022/06/23 5:15 p.m.4 views

CVE-2022-32553

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable t...

8.8CVSS7.2AI score0.01047EPSS
Exploits0References1
Prion
Prion
added 2022/02/24 12:15 a.m.19 views

Input validation

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...

2.6CVSS5.3AI score0.00634EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder