17 matches found
CVE-2026-42858
Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...
CVE-2026-42860 Open edx Enterprise Service: SSRF via SAML metadata URL in sync_provider_data endpoint
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...
CVE-2026-42860
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...
CVE-2026-42860
The CVE-2026-42860 issue affects Open edX Openedx Enterprise Service (edx-enterprise). From 7.0.2 through 7.0.4, the sync_provider_data endpoint retrieves SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated Enterprise Admin can PATCH this field to an arbitrary ...
CVE-2026-42860 Open edx Enterprise Service: SSRF via SAML metadata URL in sync_provider_data endpoint
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...
Open edX Platform 代码问题漏洞
The Open edX Platform is an open-source course management system developed by Open edX. This system can be used for MOOCs Massive Open Online Courses as well as smaller courses and training modules. The Open edX Platform has code vulnerabilities that stem from the syncproviderdata endpoint in the...
EDX Open edX 代码问题漏洞
EDX Open edX is an online learning management system developed by the American company EDX. Versions 7.0.2 to 7.0.4 of EDX Open edX have code vulnerabilities. These vulnerabilities stem from the syncproviderdata endpoint in the SAMLProviderDataViewSet, which retrieves the SAML metadata URL from...
GHSA-64CV-VXPR-J6VC edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint
Summary The syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin role can set this field to an arbitrary URL via the SAMLProviderConfigViewSet PATCH endpoint, then trigger...
CVE-2026-33042
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...
CVE-2025-27018
CVE-2025-27018 describes an SQL injection vulnerability in the Apache Airflow MySQL Provider (before 6.2.0) caused by improper neutralization of special elements in SQL commands. When a user triggers a DAG using the dump_sql or load_sql functions, a UI-passed table parameter could be crafted to e...
CVE-2024-39717
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. Tenant level users do not have this privilege. The “Change Favicon” Favorite Icon...
CVE-2024-39717
The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. Tenant level users do not have this privilege. The “Change Favicon” Favorite Icon...
GO-2022-0365 User object created with invalid provider data in GoTrue in github.com/netlify/gotrue
User object created with invalid provider data in GoTrue in github.com/netlify/gotrue...
Major CRM Provider Really Simple Systems Leaked 3M Customer Records
By Deeba Ahmed Really Simple Systems exposed its database publicly without any password or security authentication. KEY FINDINGS A global CRM… This is a post from HackRead.com Read the original post: Major CRM Provider Really Simple Systems Leaked 3M Customer Records...
CVE-2023-30725
Improper authentication in LocalProvier of Gallery prior to version 14.5.01.2 allows attacker to access the data in content provider...
User object created with invalid provider data in GoTrue
Impact What kind of vulnerability is it? Who is impacted? Under certain circumstances a valid user object would have been created with invalid provider metadata. This vulnerability affects everyone running an instance of GoTrue as a service. We advise you to update especially if you are using the...
Microsoft Windows AutoRuns Winsock Provider
Binary data windowsautorunswinsockproviders.nbin...