Lucene search
K

188 matches found

Positive Technologies
Positive Technologies
added 2025/06/19 12:0 a.m.3 views

PT-2025-26203 · Pypi · Pgai

Name of the Vulnerable Software and Affected Versions: pgai versions prior to 8eb3567 Description: The issue concerns the pgai Python library, which transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to a specific commit, the library was vulnerable to an attack...

9.1CVSS6.4AI score0.00339EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2025/06/12 9:20 p.m.10 views

CVE-2025-35940

The ArchiverSpaApi ASP.NET application uses a hard-coded JWT signing key. An unauthenticated remote attacker can generate and use a verifiable JWT token to access protected ArchiverSpaApi URL endpoints...

8.1CVSS8.1AI score0.00324EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.19 views

CVE-2025-46341

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...

7.1CVSS7.7AI score0.00392EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/05 9:18 p.m.28 views

CVE-2025-49001

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available...

9.8CVSS6.8AI score0.19386EPSS
Exploits0References1
CVE
CVE
added 2025/06/02 12:0 a.m.59 views

CVE-2025-27955

The CVE-2025-27955 entry concerns Carestream Health’s Clinical Collaboration Platform v12.2.1.5. A weak logout system leaves the session token valid after logout, enabling a remote attacker to access sensitive information and potentially execute arbitrary code. Affected software: Clinical Collabo...

6.5CVSS7AI score0.0029EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2025/06/02 12:0 a.m.10 views

CVE-2025-27955

Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code...

0.0029EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/06/01 2:47 p.m.7 views

CVE-2025-3230

Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...

5.4CVSS6.9AI score0.00187EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:42 a.m.8 views

CVE-2024-23903

Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token...

5.3CVSS6.4AI score0.005EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 8:59 a.m.6 views

CVE-2024-5249

In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed...

7.5CVSS7.1AI score0.00219EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:40 a.m.9 views

CVE-2024-31205

Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery CSRF validation when calling refresh token mutation with empty string. When a user provides an empty string...

4.2CVSS7.2AI score0.00193EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:39 a.m.12 views

CVE-2024-31842

An issue was discovered in Italtel Embrace 1.6.4. The web application inserts the access token of an authenticated user inside GET requests. The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded ...

8.8CVSS6.2AI score0.00384EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:2 a.m.8 views

CVE-2023-27987

In Apache Linkis =1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify t...

9.1CVSS6.8AI score0.00811EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:45 a.m.6 views

CVE-2023-22591

IBM Robotic Process Automation 21.0.1 through 21.0.7 and 23.0.0 through 23.0.1 could allow a user with physical access to the system due to session tokens for not being invalidated after a password reset. IBM X-Force ID: 243710...

3.9CVSS6.4AI score0.00223EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:10 a.m.6 views

CVE-2023-39173

In JetBrains TeamCity before 2023.05.2 a token with limited permissions could be used to gain full account access...

8.8CVSS7AI score0.00337EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 3:36 a.m.31 views

CVE-2023-28395

Osprey Pump Controller version 1.01 is vulnerable to a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass. This may allow an attacker to hijack a session by predicting the session id and gain unauthorized access to the product...

8.3CVSS7.1AI score0.00649EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:59 p.m.12 views

CVE-2022-44796

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. The authorization service has a flow that allows getting access to the Web UI without knowing credentials. For signing, the JWT token uses a secret key that is generated through a function that doesn't produce cryptographically...

9.8CVSS6.7AI score0.00671EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:32 p.m.8 views

CVE-2021-32776

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0...

8.8CVSS6.6AI score0.00377EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 4:16 p.m.7 views

CVE-2020-13416

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery CSRF vulnerability for password resets...

6.5CVSS7.2AI score0.0051EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 7:49 a.m.11 views

CVE-2019-13337

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter accesstoken this is the parameter used by the API. No valid token is required since it is not validated by the backend. The website can then be browsed as if no basic authentication is...

7.5CVSS7.1AI score0.01405EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:49 a.m.8 views

CVE-2019-11514

User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta.8 mishandles invalidation of user email tokens...

7.5CVSS6.8AI score0.01337EPSS
Exploits0References1
Rows per page
Query Builder