57 matches found
EUVD-2025-7821
Malicious code in bioql PyPI...
EUVD-2022-4256
Malicious code in bioql PyPI...
EUVD-2024-31382
Malicious code in bioql PyPI...
EUVD-2024-1067
Malicious code in bioql PyPI...
CVE-2024-33670
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy CSP restrictions, it may still impact the appearance and...
CVE-2024-33669
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily...
CVE-2017-1000442
Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
Passbolt 安全漏洞
Passbolt is an open source password manager from the French company Passbolt. A security vulnerability exists in versions prior to Passbolt 5, which stems from a server misconfiguration that could result in the sending of e-mail with an attacker-controlled HTTP Host header domain...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
CVE-2025-27913
CVE-2025-27913 concerns Passbolt API prior to version 5. The description in multiple sources states that a server misconfiguration during installation (and disregard of Health Check results) allows emails to be sent with a domain name taken from an attacker-controlled HTTP Host header. The CVSS d...
HTML Injection
passbolt/passboltapi is vulnerable to HTML injection. The vulnerability is due to improper input sanitization, allowing an attacker to inject HTML code in emails...
Remote Code Execution (RCE)
passbolt/passboltapi is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper input sanitization during the server's PGP key generation, allowing users to inject shell code during installation...
GHSA-QM5V-PJ64-852J Passbolt Api Tabnabbing when opening URI with menu "Open URI in a new tab"
Description A user could create and share a resource with a malicious URI. When the victim opens with menu “Open URI in a new tab” function, the malicious page has access to the window.opener object. Impact of issue The newly opened malicious page can for example change the window.opener.location...
GHSA-2F46-4XJM-73X5 Passbolt API Stored XSS on first/last name during setup
Description An administrator can craft a user with a malicious first name and last name, using a payload such as '; ? The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. Impact of issue An administrator could us...
Passbolt API Stored XSS on first/last name during setup
Description An administrator can craft a user with a malicious first name and last name, using a payload such as '; ? The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. Impact of issue An administrator could us...
Passbolt Api Remote code execution
Passbolt provides a way for system administrators to generate a PGP key for the server during installation. The wizard requests a username, an e-mail address and an optional comment. No escaping or verification is done by Passbolt, effectively allowing a user to inject bash code. The impact is ve...