Writeup Exploits
60,708 exploits tracked across all sources.
GitLab 8.10.0-11.0.5 11.1.0-11.1.4 11.2.0-11.2.1 - Missing Authorization for API Repository Storage
An issue was discovered in GitLab Community and Enterprise Edition before 11.0.6, 11.1.x before 11.1.5, and 11.2.x before 11.2.2. There is Missing Authorization Control for API Repository Storage.
CVSS 6.5
PbootCMS - SQL Injection via api.php/List/index order parameter
An issue was discovered in PbootCMS. There is a SQL injection via the api.php/List/index order parameter.
CVSS 9.8
PbootCMS - SQL Injection via api.php/Cms/search order parameter
An issue was discovered in PbootCMS. There is a SQL injection via the api.php/Cms/search order parameter.
CVSS 9.8
Mayan EDMS < 3.0.3 - Cross-Site Scripting via Tag Label Handling
An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled.
CVSS 6.1
Mayan EDMS < 3.0.3 - Cross-Site Scripting via Tag Label Handling
An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled.
CVSS 6.1
Mayan EDMS < 3.0.3 - Cross-Site Scripting via Tag Label Handling
An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled.
CVSS 6.1
Mayan EDMS < 3.0.2 - Stored Cross-Site Scripting via Cabinet Label
An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label.
CVSS 6.1
Mayan EDMS < 3.0.2 - Stored Cross-Site Scripting via Cabinet Label
An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label.
CVSS 6.1
Mayan EDMS < 3.0.2 - Stored Cross-Site Scripting via Cabinet Label
An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label.
CVSS 6.1
Mayan EDMS < 3.0.2 - Cross-Site Scripting via Appearance App
An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS.
CVSS 6.1
Mayan EDMS < 3.0.2 - Cross-Site Scripting via Appearance App
An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS.
CVSS 6.1
Mayan EDMS < 3.0.2 - Cross-Site Scripting via Appearance App
An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS.
CVSS 6.1
CVE-2014-3840
WRITEUP
Mayan EDMS 0.13 - Authenticated Stored Cross-Site Scripting via Tag, Title, Name, or Smart Link Fields
Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.
CVE-2014-3840
WRITEUP
Mayan EDMS 0.13 - Authenticated Stored Cross-Site Scripting via Tag, Title, Name, or Smart Link Fields
Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.
Navigate CMS - Stored Cross-Site Scripting via Title Field in Edit Action
Navigate CMS has Stored XSS via the navigate.php Title field in an edit action.
CVSS 5.4
GitLab Community and Enterprise Edition <11.3.11 <11.4.8 <11.5.1 - Incorrect Access Control in Issue Comments
An Incorrect Access Control issue was discovered in GitLab Community and Enterprise Edition 6.0 and later but before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. The issue comments feature could allow a user to comment on an issue which they shouldn't be allowed to.
CVSS 9.1
GitLab CE/EE <11.3.11-11.5.1 - CRLF Injection
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
CVSS 7.5
GitLab EE <11.3.11-11.5.1 - Info Disclosure
GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups.
CVSS 7.5
GitLab CE/EE <11.3.11-11.5.1 - Info Disclosure
GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user's token.
CVSS 6.5
GitLab EE <11.4.8-11.5.1 - Info Disclosure
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
CVSS 4.3
GitLab EE <11.3.11-11.5.1 - Info Disclosure
GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create.
CVSS 7.5
GitLab <11.5.1-11.3.11 - Info Disclosure
All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made.
CVSS 5.3
GitLab 11.5.0 - Stored Cross-Site Scripting in Operations Page
GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1.
CVSS 5.4
GitLab EE <11.5.1 - Info Disclosure
GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page.
CVSS 6.5
Gitlab CE/EE <11.3.11-11.5.1 - Info Disclosure
Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue.
CVSS 5.3
By Source