| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist. |
| Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature
This issue affects the following versions :
* Devolutions Server 2025.2.2.0 through 2025.2.4.0
*
Devolutions Server 2025.1.11.0 and earlier |
| Improper access control in user group management in Devolutions Server 2025.1.7.0 and earlier allows a non-administrative user with both "User Management" and "User Group Management" permissions to perform privilege escalation by adding users to groups with administrative privileges. |
| A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6. |
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The identifier of the patch is db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. |
| A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used. |
| A vulnerability was determined in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. This affects the function rename of the file /Admin/Http/Controllers/FileManagerController.php. This manipulation of the argument new_name causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.6.0 is able to mitigate this issue. The affected component should be upgraded. |
| A security flaw has been discovered in Bdtask/CodeCanyon News365 up to 7.0.3. This affects an unknown function of the file /admin/dashboard/profile. The manipulation of the argument profile_image/banner_image results in unrestricted upload. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. |
| A weakness has been identified in Bdtask Flight Booking Software 4. Affected by this vulnerability is an unknown functionality of the file /agent/profile/edit of the component Edit Profile Page. This manipulation causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability was detected in Bdtask Flight Booking Software up to 3.1. This affects an unknown part of the file /b2c/package-information of the component Package Information Module. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A security vulnerability has been detected in Bdtask Flight Booking Software up to 3.1. Affected by this issue is some unknown functionality of the file /admin/transaction/deposit of the component Deposit Handler. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.
This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected. |
| A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. |
| Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. |
| A vulnerability was identified in projectworlds Online Notes Sharing Platform 1.0. Affected by this issue is some unknown functionality of the file /dashboard/userprofile.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used. |
| The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. |
| A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. |
| A vulnerability was detected in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. The attack may be initiated remotely. The exploit is now public and may be used. |
| A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges. |
| A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the user’s assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services. |
