101 matches found
EUVD-2025-9731
Malicious code in bioql PyPI...
CVE-2025-6705
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new...
PT-2025-26742
Name of the Vulnerable Software and Affected Versions: Quest KACE Systems Management Appliance SMA versions 13.0.x through 13.0.384 Quest KACE Systems Management Appliance SMA versions 13.1.x through 13.1.80 Quest KACE Systems Management Appliance SMA versions 13.2.x through 13.2.182 Quest KACE...
CVE-2024-9756
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoaaddattachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access...
CVE-2023-2496
The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability check on the 'validateupload' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a...
CVE-2025-32370
Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not...
CVE-2025-31484
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a packa...
GHSA-WG47-6JQ2-Q2HH MinIO performs incomplete signature validation for unsigned-trailer uploads
Impact This is a high priority vulnerability and users must upgrade ASAP. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket, Prior...
CVE-2025-31489
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on...
CVE-2025-31489
Affected product: MinIO object storage server. Vulnerability: incomplete/signature validation for unsigned-trailer uploads allows a client with an existing bucket WRITE permission and knowledge of an access-key and bucket name to upload arbitrary objects by using any secret. Impact (as stated): p...
CVE-2025-31484 conda-forge infrastructure uses a bad token for Azure's cf-staging access
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a packa...
CVE-2025-31484 conda-forge infrastructure uses a bad token for Azure's cf-staging access
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a packa...
CVE-2025-31484
CVE-2025-31484 affects the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, the infrastructure used the wrong Azure cf-staging access token, allowing any feedstock maintainer to upload a package to the conda-forge channel and bypass the standard feedstock-token + upload process. The...
CVE-2025-31484 conda-forge infrastructure uses a bad token for Azure's cf-staging access
conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a packa...
PT-2025-14560 · Unknown · Conda-Forge
Name of the Vulnerable Software and Affected Versions: conda-forge infrastructure affected versions not specified Description: A bug in the conda-forge infrastructure allowed any feedstock maintainer to upload a package to the conda-forge channel, bypassing the feedstock-token + upload process,...
GPT Academic 跨站请求伪造漏洞
GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from a cross-site request forgery vulnerability that stems from a WEB application that does not adequately verify that a request is from a trusted user. An attacke...
ABB Cylon Aspect 3.08.01 caldavUpload.php Funkalicious Exploit
Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to...
PT-2024-34306 · Unknown · Rudra Innovative Software Training – Courses
Name of the Vulnerable Software and Affected Versions: Rudra Innovative Software Training – Courses versions prior to 2.0.1 Description: The issue allows unauthorized upload of malicious files, specifically a web shell, to a web server. This poses a significant risk to the security of the web...
CVE-2024-9985
CVE-2024-9985 involves the Ragic Enterprise Cloud Database. The vulnerability arises from improper validation of uploaded file types, enabling attackers with regular privileges to upload a webshell and execute arbitrary code on the remote server. Multiple sources (NVD and national/ regional advis...
WordPress plugin Order Attachments for WooCommerce 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...