CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27616 – Vela Server has Insufficient Webhook Payload Data Verification
https://notcve.org/view.php?id=CVE-2025-27616
10 Mar 2025 — Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any... • https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5 • CWE-290: Authentication Bypass by Spoofing CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43447
https://notcve.org/view.php?id=CVE-2021-43447
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. • https://github.com/ONLYOFFICE/server • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43444
https://notcve.org/view.php?id=CVE-2021-43444
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key. Todas las versiones de ONLYOFFICE a partir del 08/11/2021 se ven afectadas por un control de acceso incorrecto. Las URL de descarga de documentos firmados se pueden falsificar debido a una clave de firma de URL predeterminada débil. • https://github.com/ONLYOFFICE/server • CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43448
https://notcve.org/view.php?id=CVE-2021-43448
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 son vulnerables a una validación de entrada incorrecta. La falta de validación de entrada puede permitir que un atacante falsifique los nombres de los usuarios que interactúan con un documento, si se conoce la identificació... • https://github.com/ONLYOFFICE/server • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43445
https://notcve.org/view.php?id=CVE-2021-43445
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT auth by using a default JWT signing key. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 se ven afectadas por un control de acceso incorrecto. Un atacante puede autenticarse con el servicio de socket web del editor de documentos ONLYOFFICE que está protegido por la autenticación JWT mediante ... • https://github.com/ONLYOFFICE/server • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43446
https://notcve.org/view.php?id=CVE-2021-43446
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 son vulnerables a Cross Site Scripting (XSS). La función "macros" del editor de documentos permite realizar cross site scripting. • https://github.com/ONLYOFFICE/server • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43449
https://notcve.org/view.php?id=CVE-2021-43449
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 se ven afectadas por una vulnerabilidad Server-Side Request Forgery (SSRF). Se puede abusar del servicio de edición de documentos para leer y servir URL arbitrarias como documento. • https://github.com/ONLYOFFICE/server • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46181 – Gotify server XSS vulnerability in the application image file upload
https://notcve.org/view.php?id=CVE-2022-46181
29 Dec 2022 — Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Versions prior to 2.2.2 contain an XSS vulnerability that allows authenticated users to upload .html files. An attacker could execute client side scripts **if** another user opened a link. The attacker could potentially take over the account of the user that clicked the link. The Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outsi... • https://github.com/gotify/server/pull/534 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-46763
https://notcve.org/view.php?id=CVE-2022-46763
27 Dec 2022 — A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code. Un problema de inyección SQL en una función almacenada de base de datos en TrueConf Server 5.2.0.10225 permite a un usuario de base de datos con pocos privilegios ejecutar comandos SQL arbitrarios como administrador de la base de datos, lo que resulta en la ejecución de código arbitr... • https://github.com/sldlb/public_cve_submissions/blob/main/CVE-2022-46763.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 0CVE-2022-46764
https://notcve.org/view.php?id=CVE-2022-46764
27 Dec 2022 — A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution. Un problema de inyección SQL en la API web en TrueConf Server 5.2.0.10225 permite a atacantes remotos no autenticados ejecutar comandos SQL arbitrarios, lo que en última instancia conduce a la ejecución remota de código. • https://github.com/sldlb/public_cve_submissions/blob/main/CVE-2022-46764.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •