Lucene search
K

596 matches found

NVD
NVD
added 6 days ago7 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References2Affected Software1
CVE
CVE
added 6 days ago12 views

CVE-2026-52779

OpenProject prior to versions 17.3.3 and 17.4.1 contains a cross-project IDOR/authorization context confusion in the Calendar and Team Planner modules. A user with management permissions in one project can delete public Calendar or Team Planner Queries from another project where they lack corresp...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago27 views

CVE-2026-52779 OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 6 days ago14 views

PT-2026-52910

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An authorization context confusion and Insecure Direct Object Reference IDOR exist within the Calendar and Team Planner modules. A user with management...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References3
NVD
NVD
added 2026/06/19 4:16 p.m.13 views

CVE-2017-20267

Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the categoryid parameter. Attackers can send GET requests to the events view with malicious SQL code in the categoryid parameter to extract sensiti...

8.8CVSS0.00334EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 4:7 p.m.4 views

EUVD-2017-18994

Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the categoryid parameter. Attackers can send GET requests to the events view with malicious SQL code in the categoryid parameter to extract sensiti...

8.8CVSS6AI score0.00334EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 4:7 p.m.13 views

CVE-2017-20267

CVE-2017-20267 affects Joomla! Calendar Planner 1.0.1. The vulnerability is an SQL injection in the category_id parameter used when viewing events, allowing unauthenticated attackers to inject SQL via GET requests to the events view and potentially extract sensitive database information. Affected...

8.8CVSS6AI score0.00334EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/19 4:7 p.m.30 views

CVE-2017-20267 Joomla! Component Calendar Planner 1.0.1 SQL Injection

Joomla! Component Calendar Planner 1.0.1 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the categoryid parameter. Attackers can send GET requests to the events view with malicious SQL code in the categoryid parameter to extract sensiti...

8.8CVSS0.00334EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.13 views

PT-2026-50944

Name of the Vulnerable Software and Affected Versions Joomla! Component Calendar Planner version 1.0.1 Description An SQL injection allows unauthenticated attackers to inject SQL commands via the category id parameter. By sending GET requests to the events view containing malicious SQL code in th...

8.8CVSS6AI score0.00334EPSS
Exploits0References7
NVD
NVD
added 2026/06/10 3:16 p.m.13 views

CVE-2026-53471

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS0.00286EPSS
Exploits0References3
NVD
NVD
added 2026/06/10 3:16 p.m.11 views

CVE-2026-53469

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS0.00288EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.18 views

EUVD-2026-36034

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

9.6CVSS5.5AI score0.0028EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 1:55 p.m.10 views

CVE-2026-53470 Migration-planner: getsourcedownloadurl missing organization check

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

9.6CVSS5.3AI score0.0028EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.38 views

CVE-2026-53471 Migration-planner: agent api ignores jwt source_id claim

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS0.00286EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.11 views

EUVD-2026-36031

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.00286EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.34 views

CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS0.00298EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 1:55 p.m.8 views

CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.10 views

EUVD-2026-36030

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 1:55 p.m.25 views

CVE-2026-53474

Migration-planner is affected by a second-order SQL injection via uploads of RVTools .xlsx files. The flaw arises from improper input sanitization and causes malicious SQL embedded in a spreadsheet cell to execute when cluster names are processed, enabling arbitrary file reading on the host (pote...

9.6CVSS5.9AI score0.00298EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder