Henkel-CyberVM/CVEs
GitHub
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 5.4 MEDIUM | — | ||
A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| 9.8 CRITICAL | — | ||
An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources. | |||
| 4.3 MEDIUM | — | ||
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | |||
| 5.3 MEDIUM | — | ||
Kazaar 1.25.12 allows a JWT with none in the alg field. | |||
| 4.3 MEDIUM | — | ||
IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization. | |||
| 6.5 MEDIUM | — | ||
Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id. | |||
| 8.8 HIGH | — | ||
DigiSign DigiSigner ONE 1.0.4.60 allows DLL Hijacking. | |||
| 5.8 MEDIUM | — | ||
Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | |||
| 9.8 CRITICAL | — | ||
MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control a web application's database server. | |||
| 6.1 MEDIUM | — | ||
A cross-site scripting (reflected XSS) vulnerability was found in Mettler Toledo FreeWeight.Net Web Reports Viewer 8.4.0 (440). It allows an attacker to inject malicious scripts via the IW_SessionID_ parameter. | |||
| 9.8 CRITICAL | — | ||
LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Authenticated users can retrieve arbitrary files from the environment via the objectname request parameter. | |||
| 7.8 HIGH | — | ||
DPMAdirektPro 4.1.5 is vulnerable to DLL Hijacking. It happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL), which is then loaded by the application instead of the legitimate DLL. This causes the malicious DLL to load with the same privileges as the application, thus causing a privilege escalation. | |||
| 9.8 CRITICAL | — | ||
TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal). | |||
| 7.3 HIGH | — | ||
Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier (such as for sorting), which will get executed on the server side. | |||
| 7.3 HIGH | — | ||
Codemers KLIMS 1.6.DEV lacks a proper access control mechanism, allowing a normal KLIMS user to perform all the actions that an admin can perform, such as modifying the configuration, creating a user, uploading files, etc. | |||