Yazan Abu-Nadi

13 exploits Active since May 2025
CVE-2026-31281 NOMISEC HIGH WRITEUP
Totara LMS <=v19.1.5 - HTML Injection
Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.
CVSS 8.0
CVE-2026-31282 NOMISEC CRITICAL WRITEUP
Totara LMS <=v19.1.5 - Incorrect Access Control
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.
CVSS 9.8
CVE-2026-31283 NOMISEC CRITICAL WRITEUP
Totara LMS <=v19.1.5 - Email Bombing
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.
CVSS 9.8
CVE-2025-66837 NOMISEC MEDIUM WRITEUP
ARIS 10.0.23.0.3587512 - RCE
A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware
CVSS 6.8
CVE-2025-66838 NOMISEC MEDIUM WRITEUP
Aris v10.0.23.0.3587512 - DoS
In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance
CVSS 6.5
CVE-2025-54321 NOMISEC CRITICAL WRITEUP
Ascertia SigningHub <8.6.8 - DoS
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
CVSS 9.8
CVE-2025-54320 NOMISEC MEDIUM WRITEUP
Ascertia Signinghub < 8.6.8 - Resource Allocation Without Limits
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests.
CVSS 4.3
CVE-2023-34732 NOMISEC MEDIUM WRITEUP
Flytxt Neon-dx < 0.0.1 - Brute Force
An issue in the userId parameter in the change password function of Flytxt NEON-dX v0.0.1-SNAPSHOT-6.9-qa-2-9-g5502a0c allows attackers to execute brute force attacks to discover user passwords.
CVSS 5.4
CVE-2025-56218 WRITEUP CRITICAL WRITEUP
Ascertia Signinghub < 8.6.8 - Unrestricted File Upload
An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
CVSS 9.8
CVE-2025-56219 WRITEUP HIGH WRITEUP
Ascertia Signinghub < 8.6.8 - Improper Access Control
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accounts are created.
CVSS 7.1
CVE-2025-56221 WRITEUP CRITICAL WRITEUP
Ascertia Signinghub < 8.6.8 - Brute Force
A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.
CVSS 9.8
CVE-2025-56223 WRITEUP HIGH WRITEUP
Ascertia Signinghub < 8.6.8 - Resource Allocation Without Limits
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
CVSS 7.5
CVE-2025-56224 WRITEUP HIGH WRITEUP
Ascertia Signinghub < 8.6.8 - Brute Force
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.
CVSS 8.1