795 matches found
CVE-2024-39325
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9,...
CVE-2024-39325 aimeos/ai-controller-frontend doesn't reset payment status in basket
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9,...
Reflected Cross-Site Scripting (XSS) in zenml
A reflected Cross-Site Scripting XSS vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a...
CVE-2024-5933
A Cross-site Scripting XSS vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser...
USN-6843-1 plasma-workspace vulnerability
Fabian Vogt discovered that Plasma Workspace incorrectly handled connections via ICE. A local attacker could possibly use this issue to gain access to another user's session manager and execute arbitrary code...
CSV Injection
silverstripe/framework is vulnerable to CSV injection. The vulnerability is due to the potential inclusion of executable macros and scripts in the exported CSV files, which allows an attacker to execute arbitrary code or commands on the user's system...
CVE-2024-38351 Password auth and OAuth2 unverified email linking
Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...
CVE-2024-5961 Reflected XSS in 2ClickPortal
Improper neutralization of input during web page generation vulnerability in 2ClickPortal software allows reflected cross-site scripting XSS. An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects 2ClickPortal software...
CVE-2024-3402 Stored XSS vulnerability in gaizhenbiao/chuanhuchatgpt
A stored Cross-Site Scripting XSS vulnerability existed in version 20240121 of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model,...
CVE-2024-5133
CVE-2024-5133 affects lunary-ai/lunary v1.2.4, where the password recovery token (recovery_token) is exposed in API responses for GET /v1/users/me/org, listing all users in a team. Any authenticated user could capture another user’s recovery token and change their password, enabling account takeo...
CVE-2024-5133 Account Takeover via Exposed Recovery Token in lunary-ai/lunary
In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which...
Cross-Site Scripting (XSS)
typo3/cms-core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insecurely encoding information from external sources in language pack handling, which allows attackers to execute malicious scripts in the context of the user’s browser...
RHEL 5 : libuser (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - libuser: TOCTOU race conditions by copying and removing directory trees CVE-2012-5630 - libuser: Security...
GitLab 12.2 < 13.4.7 / 13.5 < 13.5.5 / 13.6 < 13.6.2 (CVE-2020-26408)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A limited information disclosure vulnerability exists in Gitlab CE/EE from = 12.2 to =13.5 to =13.6 to = 12.2 to =13.5 to =13.6 to 13.6.2 that allows an attacker to view limited information in user's...
CVE-2024-3579 XSS in Online Shopping System Advanced
Open-source project Online Shopping System Advanced is vulnerable to Reflected Cross-Site Scripting XSS. An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser...
CVE-2024-3654
An XSS vulnerability has been found in Teimas Global's Teixo, version 1.42.42-stable. This vulnerability could allow an attacker to send a specially crafted JavaScript payload via the "seconds" parameter in the program's URL, resulting in a possible takeover of a registered user's session...
Improper Validation in the User's Avatar Mechanism - ownCloud
Improper Validation in the User’s Avatar Mechanism may allow an authenticated attacker to edit their own profile in a way that consumes a substantial amount of resources, creating a Denial of Service...
CVE-2024-0157
Dell Storage Resource Manager (SRM) for Windows includes a Session Fixation vulnerability in the SRM Windows Host Agent affecting version 4.9.0.0 and earlier. An unauthenticated attacker on an adjacent network could potentially hijack a targeted user’s application session. Public details in conne...
Adobe Commerce Input Validation Error Vulnerability (CNVD-2024-19008)
Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. Adobe Commerce has an input validation error vulnerability that stems from vulnerability to incorrect input validation vulnerability, which could lead t...
CVE-2024-3570 Stored XSS leading to Admin Account Takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to...