Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The ap...
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not ve...
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, ...
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the...
Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.
Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions.
Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Unauthenticated Cross Site Scripting (XSS) in Kapee < 1.7.1 versions.
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
Unauthenticated Cross Site Scripting (XSS) in collectchat <= 2.4.9 versions.
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Unauthenticated PHP Object Injection in LĂ©onie <= 1.2.1 versions.
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.