Lucene search
K

7 matches found

EUVD
EUVD
added 2025/11/07 6:30 p.m.4 views

EUVD-2025-38263

A DOM-based Cross-Site Scripting XSS vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An...

5.5AI score0.00232EPSS
Exploits1References3
EUVD
EUVD
added 2025/11/07 6:30 p.m.6 views

EUVD-2025-38272

A Broken Object Level Authorization BOLA vulnerability was discovered in the tRPC project mutation APIs update, delete, add/remove tag of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for...

6.2AI score0.0026EPSS
Exploits1References3
NVD
NVD
added 2025/11/07 5:15 p.m.9 views

CVE-2025-63785

A DOM-based Cross-Site Scripting XSS vulnerability exists in the text editor feature of the Onlook web application 0.2.32. This vulnerability occurs because user-supplied input is not properly sanitized before being directly injected into the DOM via innerHTML when editing a text element. An...

6.1CVSS0.00232EPSS
Exploits1References2
OSV
OSV
added 2025/11/07 4:15 p.m.5 views

CVE-2025-63783

A Broken Object Level Authorization BOLA vulnerability was discovered in the tRPC project mutation APIs update, delete, add/remove tag of the Onlook web application 0.2.32. The vulnerability exists because the API fails to verify the ownership or membership of the currently authenticated user for...

7.6CVSS5.8AI score0.0026EPSS
Exploits1References2
CVE
CVE
added 2025/11/07 12:0 a.m.10 views

CVE-2025-63784

Onlook web application 0.2.32 contains an Open Redirect vulnerability in the OAuth callback handler (file onlook/apps/web/client/src/app/auth/callback/route.ts). The issue arises from trusting the X-Forwarded-Host header without proper validation when constructing the redirect URL, enabling an at...

6.5CVSS6.5AI score0.00373EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2025/11/07 12:0 a.m.11 views

CVE-2025-63783

Onlook web application 0.2.32 contains a Broken Object Level Authorization (BOLA) in tRPC mutation APIs (update, delete, add/remove tag). The API fails to verify the requester’s ownership/membership for the target project ID, enabling an authenticated attacker to modify, delete, or manipulate tag...

7.6CVSS6.4AI score0.0026EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/11/07 12:0 a.m.7 views

PT-2025-45466

Name of the Vulnerable Software and Affected Versions Onlook web application version 0.2.32 Description A Broken Object Level Authorization BOLA issue exists in the tRPC project mutation APIs update, delete, add/remove tag of the Onlook web application. The API does not properly validate if the...

7.6CVSS5.5AI score0.0026EPSS
Exploits1References6
Rows per page
Query Builder