Lucene search
K

9 matches found

NVD
NVD
added 5 hours ago4 views

CVE-2026-53909

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, th...

5.3CVSS
Exploits0References2
NVD
NVD
added 5 hours ago4 views

CVE-2026-53902

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrar...

7.1CVSS
Exploits0References2
NVD
NVD
added 5 hours ago4 views

CVE-2026-53903

MCO is vulnerable to an Insecure Direct Object Reference IDOR vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct...

5.3CVSS
Exploits0References2
NVD
NVD
added 5 hours ago4 views

CVE-2026-53905

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive...

5.3CVSS
Exploits0References2
NVD
NVD
added 5 hours ago4 views

CVE-2026-53907

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

4.8CVSS
Exploits0References2
NVD
NVD
added 5 hours ago4 views

CVE-2026-53908

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and...

6.9CVSS
Exploits0References2
EUVD
EUVD
added 6 hours ago3 views

EUVD-2026-40955

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, th...

7.1CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 6 hours ago4 views

EUVD-2026-40953

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

7.1CVSS5.8AI score
Exploits0References2
EUVD
EUVD
added 6 hours ago3 views

EUVD-2026-40949

MCO is vulnerable to an Insecure Direct Object Reference IDOR vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct...

7.1CVSS5.8AI score
Exploits0References2
Rows per page
Query Builder