tryon-dev

2 exploits Active since Sep 2025
CVE-2025-55888 NOMISEC HIGH WRITEUP
ARD GEC En Ligne - Ajax accountName Cross-Site Scripting
Cross-Site Scripting (XSS) vulnerability was discovered in the Ajax transaction manager endpoint of ARD. An attacker can intercept the Ajax response and inject malicious JavaScript into the accountName field. This input is not properly sanitized or encoded when rendered, allowing script execution in the context of users browsers. This flaw could lead to session hijacking, cookie theft, and other malicious actions.
4 stars
CVSS 7.3
CVE-2025-55886 NOMISEC MEDIUM WRITEUP
ARD Payment History API - Insecure Direct Object Reference
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ARD. The flaw exists in the `fe_uid` parameter of the payment history API endpoint. An authenticated attacker can manipulate this parameter to access the payment history of other users without authorization.
3 stars
CVSS 6.5