dos-m0nk3y

5 exploits Active since Oct 2024
CVE-2024-48572 WRITEUP MEDIUM WRITEUP
Aquila-cms Aquilacms < 1.409.20 - Incorrect Default Permissions
A User enumeration vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to obtain email addresses via the "Add a user" feature. The vulnerability occurs due to insufficiently validated user input being processed as a regular expression, which is then matched against email addresses to find duplicate entries.
CVSS 5.3
CVE-2024-50671 WRITEUP MEDIUM WRITEUP
Adapt Learning Adapt Authoring Tool <= 0.11.3 - Info Disclosure
Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users.
CVSS 4.3
CVE-2025-57682 WRITEUP MEDIUM WRITEUP
Papermark < 0.20.0 - Path Traversal
Directory Traversal vulnerability in Papermark 0.20.0 and prior allows authenticated attackers to retrieve arbitrary files from an S3 bucket through its CloudFront distribution via the "POST /api/file/s3/get-presigned-get-url-proxy" API
CVSS 6.5
CVE-2025-67419 WRITEUP HIGH WRITEUP
Evershop < 2.1.0 - Denial of Service
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.
CVSS 7.5
CVE-2025-67427 WRITEUP MEDIUM WRITEUP
Evershop < 2.1.0 - SSRF
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.
CVSS 6.5