Improper access control in Acronis Cyber Protect 17 (Linux and Windows) prior to build 41186 allows authenticated users to view sensitive information they should not have access to. The vulnerability requires valid credentials and network access but does not enable data modification or system availability impacts. No patch is currently available for this medium-severity disclosure risk.
Acronis Cyber Protect 17 prior to build 41186 contains insufficient access control validation that permits authenticated users to read sensitive data they should not have access to. The vulnerability affects both Linux and Windows deployments and requires valid credentials to exploit, limiting the attack surface to authenticated attackers. No patch is currently available.
Rank Math SEO PRO through version 3.0.95 contains an authorization bypass in its access control implementation that allows authenticated users to perform unauthorized modifications. An attacker with valid login credentials could exploit this misconfiguration to alter content or settings they should not have access to. No patch is currently available to address this vulnerability.
WP eCommerce WordPre versions up to 3.15.1 is affected by cross-site request forgery (csrf) (CVSS 4.3).
Stellar-xdr prior to version 25.0.1 fails to validate string length constraints in the StringM::from_str function, allowing oversized strings to bypass maximum length checks and create invalid StringM objects. Applications relying on this type's length invariant for serialization, validation, or security decisions could process malformed data that violates expected constraints. Local attackers or malicious input sources could exploit this to cause unexpected behavior in dependent code.
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. [CVSS 2.5 LOW]
Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debug mode Cryptomator might leak cleartext paths into the log file. This can reveal meta information about the files stored inside a vault at a time, where the actual vault is closed. Not every cleartext path is logged. Only if a filesystem request fails for some reason (e.g. damaged encrypted file,...
SQL injection in DefaultFunction Jeson CRM 1.0.0 allows authenticated attackers to manipulate the ID parameter in /modules/customers/edit.php and execute arbitrary SQL queries, potentially compromising data confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available despite the identified fix commit hash.
Reflected cross-site scripting in HSC Cybersecurity Mailinspector through version 5.3.2-3 allows remote attackers to inject malicious scripts via the error_description parameter in the URL handler component. Public exploit code exists for this vulnerability, which could enable attackers to steal session cookies or perform actions on behalf of authenticated users. Users should upgrade to version 5.4.0 or apply the available hotfix immediately.