33227 matches found
Concrete CMS is vulnerable to CSRF via Backend\File::approveVersion
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. Thanks...
Concrete CMS is vulnerable to Stored XSS via page name in the Atomik theme
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity...
Go Net HTML parser is vulnerable to denial of service
In Go Net golang.org/x/net before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service...
Apache CXF has an LDAP injection vulnerability
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...
Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users v...
Mattermost doesn't validate file ownership and access control
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs...
Apache CXF: Untrusted JMS configuration can lead to RCE
The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1...
Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API...
Mattermost doesn't enforce request body size limits on plugin HTTP endpoints
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646...
Apache CXF's WS-Transfer module has an insecure XML parser configuration
Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...
Mattermost doesn't validate user-supplied input in API request handlers
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID:...
Mattermost doesn't archive the channel before removing persistent notifications
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting...
Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memory
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.2, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service serve...
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user ...
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The cron routes POST /api/v1/cron and PATCH /api/v1/cron/:id are wired through commonHandler any authenticated user rather than adminHandler, and the per-server permission check on cron creation has a...
Arcane: Missing admin authorization on global variables endpoint
Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...
instagrapi: Unsafe signup challenge path handling in instagrapi
instagrapi versions before 2.6.9 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intende...
aiograpi: Unsafe signup challenge path handling
aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended...
Parse Server: Pre-authentication denial of service via client version header regex backtracking
Impact An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before...
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers...
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Summary Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth...
aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
Vulnerability Description In aiosend/webhook/base.py, the WebhookHandler.feedupdate method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and on...
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
Summary publicPatchHandler in backend/http/public.go joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversa...
YesWiki: Unauthenticated SQL Injection
Summary An unauthenticated SQL injection in the Bazar form-import path FormManager::create allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an INSERT statement and read the full database, including yeswikiusers.password hashes. Present in 4.6.1 / 4.6.2 ...
ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process...
ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
The distributed pixel cache was originally designed to operate without a challenge–response authentication model. However, given today’s heightened security expectations, we have changed our implementation...
ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met...
ImageMagick: Heap Buffer Over-Write in distributed pixel cache server
An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file approveVersion...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/design...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file rescanMultiple...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/delete...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/cache...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/express/association/reorder...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/page/bulk/delete...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file rescan...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file star...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file removeFavoriteFolder$id...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file addFavoriteFolder$id...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete
Concrete CMS 9 through 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/logs/bulk/delete...
Concrete CMS is vulnerable to IDOR in surveys
Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID throu...
Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination
Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" . Any authenticated admin or report viewer with access to...
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/dialog/event/duplicate...
Concrete CMS is vulnerable to IDOR
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/getrating' endpoint confirms existence and returns rating score for any message by ID...
Concrete CMS is vulnerable to IDOR
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/messagepage' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...
Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens...
Concrete CMS is vulnerable to Stored XSS via external-link page cvName
Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized...