Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Summary The /api/v1/account/forgot-password endpoint returns the full user object including PII id, name, email, status, timestamps in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email...

EUVD-2010-5235

Malware in sbrugna...

EUVD-2020-23517

Malware in sbrugna...

EUVD-2020-0527

Malware in sbrugna...

EUVD-2023-3022

Malicious code in bioql PyPI...

CVE-2023-5968

Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body...

CVE-2021-29643

PRTG Network Monitor before 21.3.69.1333 allows stored XSS via an unsanitized string imported from a User Object in a connected Active Directory instance...

CVE-2020-15126

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object...

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object including all metadata upon login via the REST API aam/v1/authenticate or aam/v2/authenticate. This is a security problem if this object stores information that the user is not supposed to have e.g.,...

CVE-2010-5276

The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcacheadmin, which might "lead to a role change not being recognized until the user logs in again."...

CVE-2025-21843

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: avoid garbage value in panthorioctldevquery 'prioritiesinfo' is uninitialized, and the uninitialized value is copied to user object when calling PANTHORUOBJSET. Using memset to initialize 'prioritiesinfo' to avoid th...

SUSE CVE-2024-53115

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: avoid nullptrderef in vmwframebuffersurfacecreatehandle The 'vmwuserobjectbuffer' function may return NULL with incorrect inputs. To avoid possible null pointer dereference, add a check whether the 'bo' is NULL in the...

DEBIAN-CVE-2024-53115

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: avoid nullptrderef in vmwframebuffersurfacecreatehandle The 'vmwuserobjectbuffer' function may return NULL with incorrect inputs. To avoid possible null pointer dereference, add a check whether the 'bo' is NULL in the...

GO-2022-0365 User object created with invalid provider data in GoTrue in github.com/netlify/gotrue

User object created with invalid provider data in GoTrue in github.com/netlify/gotrue...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213 Exposure of Sensitive Information in mintplex-labs/anything-llm

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

AnythingLLM Security Vulnerability

AnythingLLM is a document chatbot that meets business requirements. A security vulnerability exists in Mintplex Labs AnythingLLM versions 1.5.3 and earlier, which stems from the fact that the entire User object including the bcrypt password hash is included in the response sent to the front-end, ...

Zammad Information Disclosure Vulnerability (CNVD-2023-9769727)

Zammad is a suite of ticket management software from the German company Zammad. Zammad suffers from an information disclosure vulnerability that stems from the use of the public endpoint /api/v1/signshow as its login screen, which returns internal configuration data for user object attributes. An...

Design/Logic Flaw

An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public...

Mattermost Server < 7.8.12 / 8.0.x < 8.0.4 / 8.1.x < 8.1.3 / 9.0.0 Multiple Vulnerabilities (MMSA-2023-00240) (MMSA-2023-00242) (MMSA-2023-00246)

The version of Mattermost Server running on the remote host is prior to 7.8.12, 8.0.x prior to 8.0.3, 8.1.x prior to 8.1.3 or 9.0.0. It is, therefore, affected by multiple vulnerabilities: - Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request...