Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.
A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. [CVSS 3.1 LOW]
MineAdmin 1.x and 2.x contains insufficient JWT token verification in the /system/refresh endpoint, allowing authenticated remote attackers to tamper with token data and potentially escalate privileges or bypass security controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Exploitation requires authenticated access and specific conditions, resulting in a medium severity rating with limited immediate impact.
A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. [CVSS 3.1 LOW]
IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 3.5 LOW]
Applinx versions up to 11.1.0 contains a vulnerability that allows attackers to an authenticated user to perform unauthorized administrative actions on the serv (CVSS 3.1).
Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. [CVSS 3.1 LOW]
Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. [CVSS 3.1 LOW]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a partial denial of service (partial DOS) of MySQL (CVSS 2.7).
HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. [CVSS 2.7 LOW]
Sun Zfs Storage Appliance Kit versions up to 8.8.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle ZFS Storage Appli (CVSS 2.3).
XXE injection in Bjskzy Zhiyou ERP through the RichClientService component allows authenticated attackers to read sensitive files and manipulate XML data from the network. Public exploit code exists for this vulnerability affecting versions up to 11.0, and the vendor has not provided a patch despite early disclosure notification.