CVE-2024-56366 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Accounting.php file. Using the...

CVE-2024-56365

PhpSpreadsheet (phpspreadsheet) has an unauthorized reflected XSS in the Downloader constructor. Affected versions pre-3.7.0, pre-2.3.5, pre-2.1.6, and pre-1.29.7 are vulnerable via GET parameters in the samples/download.php script. The issue allows executing arbitrary JavaScript in the victim’s ...

CVE-2024-56365 PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the Downloader class. Using the /vendor/phpoffice/phpspreadsheet/samples/download.php...

CVE-2024-56513 Karmada PULL Mode Cluster Privilege Escalation

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources...

CVE-2024-56408

PhpSpreadsheet (PHP) has a cross-site scripting (XSS) vulnerability in the Convert-Online.php sample due to missing input sanitization. Affected versions are prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7; these versions lack sanitization in /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-...

CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack...

CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack...

Four-Faith Router adjust_sys_time command injection

Added: 01/03/2025 Background Four Faith F3x24 is a wifi industrial router. F3x36 is an LTE wireless router. Problem A default password and command injection vulnerability in the adjustsystime function in the F3x24 and F3x36 routers could allow an attacker to execute arbitrary commands. Resolution...

PT-2025-3276 · Acronis · Acronis Cyber Protect 16

Name of the Vulnerable Software and Affected Versions: Acronis Cyber Protect 16 Windows versions before build 39169 Description: The issue is related to missing session invalidation after a user is deleted. This means that even after a user's account is deleted, their session remains active. The...

PT-2025-26181

Name of the Vulnerable Software and Affected Versions ClamAV versions 1.0.9 through 1.4.3 Description A vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated, remote attacker to cause a buffer overflow condition, cause a denial of service DoS condition, or execute...

PT-2025-37011

Name of the Vulnerable Software and Affected Versions Chromium versions prior to 140.0.7339.127 Chromium versions 140.0.7339.127-1deb12u1 through 140.0.7339.127-1deb13u1 Chromium version 141.0.7390.76-alt0.p11.1 Description The issue involves an inappropriate implementation within the Mojo IPC...

PT-2025-22321

Name of the Vulnerable Software and Affected Versions libsoup versions 2.4 through 3 Description A flaw was found in the libsoup package due to its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP...

PT-2025-16899 · Google +3 · Google Chrome +3

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 135.0.7049.95 Microsoft Edge Chromium-based versions affected versions not specified Description: A heap buffer overflow in Codecs in Google Chrome on Windows allowed a remote attacker to potentially exploit he...

PT-2024-36424 · I · I

Name of the Vulnerable Software and Affected Versions: I, Librarian versions prior to 5.11.1 Description: The issue is related to Server-Side Request Forgery SSRF due to improper input validation in classes/security/validation.php. This allows for bypassing protection mechanisms. The estimated...

CVE-2024-56801

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

CVE-2024-56799

Simofa is a tool to help automate static website building and deployment. Prior to version 0.2.7, due to a design mistake in the RouteLoader class, some API routes may be publicly accessible when they should require authentication. This vulnerability has been patched in v0.2.7...

CVE-2024-56801

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

CVE-2024-56800 Firecrawl has SSRF Vulnerability via malicious scrape target

Firecrawl is a web scraper that allows users to extract the content of a webpage for a large language model. Versions prior to 1.1.1 contain a server-side request forgery SSRF vulnerability. The scraping engine could be exploited by crafting a malicious site that redirects to a local IP address...

CVE-2024-56801 Tasklists has Blind SQL Injection in /ajax/reorder.php

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

CVE-2024-56517

LGSL Live Game Server List provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the Referer HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the...