Monthly
Man-in-the-middle attackers positioned between OX Dovecot Pro and clients can forge SCRAM TLS channel binding via specially crafted base64 exchanges, allowing eavesdropping on encrypted communications. The attack requires network-level access and knowledge of channel binding mechanics but yields complete confidentiality compromise. No public exploit code is known, and patched versions are available from Open-Xchange.
A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.
Improper control of resource identifiers in Newgen OmniDocs up to version 12.0.00 allows unauthenticated remote attackers to access sensitive information via manipulation of the DocumentId parameter in the /omnidocs/WebApiRequestRedirection endpoint. The vulnerability has publicly available exploit code and a low CVSS score (5.5) reflecting confidentiality impact only, but the combination of network-based attack vector, no authentication requirement, and public exploit availability warrants immediate assessment. The vendor has not responded to disclosure attempts.
BichitroGan ISP Billing Software 2025.3.20 contains an improper resource identifier control vulnerability in the settings/users-view endpoint that allows authenticated remote attackers to disclose sensitive information via manipulation of the ID parameter. The vulnerability has a CVSS score of 4.3 with publicly available exploit code; the vendor has not responded to disclosure attempts.
Improper resource identifier validation in Shy2593666979 AgentChat versions up to 2.3.0 allows unauthenticated remote attackers to manipulate the user_id parameter in the user endpoint, potentially gaining unauthorized access to or modifying user data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.
A vulnerability was detected in EverShop up to 2.0.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
LearnHouse allows authenticated remote attackers to access unauthorized student assignment files through improper control of resource identifiers in the Student Assignment Submission Handler API endpoint, enabling information disclosure of sensitive academic materials. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed. EPSS exploitation probability is 0.04% (13th percentile), indicating low real-world exploitation likelihood despite public POC availability.
A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Man-in-the-middle attackers positioned between OX Dovecot Pro and clients can forge SCRAM TLS channel binding via specially crafted base64 exchanges, allowing eavesdropping on encrypted communications. The attack requires network-level access and knowledge of channel binding mechanics but yields complete confidentiality compromise. No public exploit code is known, and patched versions are available from Open-Xchange.
A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.
Improper control of resource identifiers in Newgen OmniDocs up to version 12.0.00 allows unauthenticated remote attackers to access sensitive information via manipulation of the DocumentId parameter in the /omnidocs/WebApiRequestRedirection endpoint. The vulnerability has publicly available exploit code and a low CVSS score (5.5) reflecting confidentiality impact only, but the combination of network-based attack vector, no authentication requirement, and public exploit availability warrants immediate assessment. The vendor has not responded to disclosure attempts.
BichitroGan ISP Billing Software 2025.3.20 contains an improper resource identifier control vulnerability in the settings/users-view endpoint that allows authenticated remote attackers to disclose sensitive information via manipulation of the ID parameter. The vulnerability has a CVSS score of 4.3 with publicly available exploit code; the vendor has not responded to disclosure attempts.
Improper resource identifier validation in Shy2593666979 AgentChat versions up to 2.3.0 allows unauthenticated remote attackers to manipulate the user_id parameter in the user endpoint, potentially gaining unauthorized access to or modifying user data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.
A vulnerability was detected in EverShop up to 2.0.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A security flaw has been discovered in yungifez Skuul School Management System up to 2.6.5. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
LearnHouse allows authenticated remote attackers to access unauthorized student assignment files through improper control of resource identifiers in the Student Assignment Submission Handler API endpoint, enabling information disclosure of sensitive academic materials. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed. EPSS exploitation probability is 0.04% (13th percentile), indicating low real-world exploitation likelihood despite public POC availability.
A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.