Vulnerability in Best Practical Solutions, LLC's Request Tracker prior to v5.0.8, where the Triple DES (3DES) cryptographic algorithm is used to protect emails sent with S/MIME encryption. Triple DES ...

CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was discovered in the CKEditor 5 real-time colla...

Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager.

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command ex...

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, eithe...

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. If users are allowed to sign in via b...

Anubis is a tool that allows administrators to protect bots against AI scrapers through bot-checking heuristics and a proof-of-work challenge to discourage scraping from multiple IP addresses. Anubis ...

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC cust...

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in OpenText Advanced Authentication allows Information Elicitation. The vulnerability could reveal sensitive in...

It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. ...

In the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, it is possible to inject code in the "modalDlgMsgInternal" parameter via POST, which is then executed in the browser. The risk of e...

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes th...

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the ...

Data provided in a request performed to the server while activating a new device are put in a database. Other high privileged users might download this data as a CSV file and corrupt their PC by openi...

Input provided in a field containing "activationMessage" in Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has b...

Input provided in comment section of Konsola Proget is not sanitized correctly, allowing a high-privileged user to perform a Stored Cross-Site Scripting attack. This issue has been fixed in 2.17.5 ver...

The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to trans...

Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText™ Service Manager. The vulnerability could reveal sensitive information retained by the browser. This issue affe...

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to ...

In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in furthe...

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the us...

Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access....

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the ...

The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an appli...