33367 matches found
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
Summary A Reflected Cross-Site Scripting XSS vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited ...
Kirby CMS has cross-site scripting (XSS) in the changes dialog
TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. ---- Introductio...
XWiki AdminTools application doesn't set permissions on the AdminTools space
Impact Users without admin rights have access to AdminTools.SpammedPages. Details View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. Workarounds Set the view rights for the AdminTools space to ...
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
Summary An unauthenticated attacker can exploit the unprotected registration endpoint /register to create a new user and bypass authentication. Details Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint t...
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
Description Since version 4.12.0, Dependency-Track users with the SYSTEMCONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not...
glob CLI: Command injection via -c/--cmd executes matches with shell:true
Summary The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to...
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ v4.0.13 and prior allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database...
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization...
vlife-base has Path Traversal vulnerability
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java of the component VLifeApi. Such manipulation of the argument fileName leads to path traversal. It is possible to...
lsFusion Platform has a Path Traversal vulnerability
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to...
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack...
lsFusion Platform has a Path Traversal vulnerability
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote...
Memos' Access Tokens Stay Valid after User Password Change
Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have...
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...
Directus is Vulnerable to Stored Cross-site Scripting
Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...
Directus has Improper Permission Handling on Deleted Fields
Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. Details When a field is removed from a collection, its...
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient...
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. Impact This vulnerability stems from the...
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
Summary Bypass of Password Confirmation - Unverified Password Change authenticated change without current password An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s...
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the account email address used as a login identifier and/or password recovery address without verifying the requester’s authority to make that change no...
Flowise Fails to Invalidate Existing Sessions After Password Changes
Summary Failure to Invalidate Existing Sessions After Password Change Persistent Session / Session Invalidity Failure. Details After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who...
Shopware 6's password recovery link does not expire after email change
Summary When a customer changes their email address after requesting a password reset, the old password reset link tied to the previous email remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email...
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session self-XSS. This allows an attacker who can entice a victim to drag or...
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if templateselection is enabled in the configuration, the server trusts the template cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file...
expr-eval vulnerable to Prototype Pollution
npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue...
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...
js-yaml has prototype pollution in merge (<<)
Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2...
Mattermost allows system administrators to access password hashes and MFA secrets
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11, 10.12.x = 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL...
Mattermost fails to properly restrict access to archived channel search API
Mattermost versions 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the /api/v4/teams/teamid/channels/searcharchived endpoint...
Mattermost allows regular users to access archived channel content and files
Mattermost versions 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads...
Mattermost does not enforce MFA on WebSocket connections
Mattermost versions 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events...
golang.org/x/crypto/ssh/agent has a potential denial of service
SSH clients receiving SSHAGENTSUCCESS when expecting a typed response will panic and cause early termination of the client process...
Directus Vulnerable to Information Leakage in Existing Collections
Summary: An observable difference in error messaging was found in the Directus REST API. The /items/collection API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existi...
Directus's conceal fields are searchable if read permissions enabled
Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Details The system permits sear...
LXD vulnerable to a local privilege escalation through custom storage volumes
Impact This affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom storage volume that has the security.shifted property set to true as well as access to the host as an unprivileged user. The most common case for this would be...
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references. Original Description Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute...
SpiceDB WriteRelationships fails silently if payload is too big
Impact Users who 1. use the exclusion operator somewhere in their authorization schema 1. have configured their SpiceDB server such that --write-relationships-max-updates-per-call is bigger than 6500 1. issue calls to WriteRelationships with a large enough number of updates that cause the payload...
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Summary In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are: - Middleware-based protected route bypass only via...
Astro development server error page is vulnerable to reflected Cross-site Scripting
Summary A Reflected Cross-Site Scripting XSS vulnerability exists in Astro's development server error pages when the trailingSlash configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this...
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
The standard library net/http package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a...
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
Summary It has been found an Insecure Direct Object Reference IDOR vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is...
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. 1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2. Allow user-defined...
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance
Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...
Duplicate Advisory: Keycloak allows Binding to an Unrestricted IP Address
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j4vq-q93m-4683. This link is maintained to preserve external references. Original Description A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to...
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...