CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-0557 – Hyland Alfresco Community Edition URL s cross site scripting
https://notcve.org/view.php?id=CVE-2025-0557
18 Jan 2025 — A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?ctiid.292491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40347
https://notcve.org/view.php?id=CVE-2024-40347
20 Jul 2024 — A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid. Una vulnerabilidad reflejada de Cross Site Scripting (XSS) en Hyland Alfresco Platform 23.2.1-r96 permite a los atacantes ejecutar código arbitrario en el contexto del navegador de un usuario mediante la inyección de un payload manipulado en el parámetro htmlid. • https://github.com/4rdr/proofs/blob/main/info/Alfresco_Reflected_XSS_via_htmlid_parameter.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 1CVE-2023-49964
https://notcve.org/view.php?id=CVE-2023-49964
11 Dec 2023 — An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873. Se descubrió un problema en Hyland Alfresco Community Edition hasta 7.2.0. Al insertar contenido malicioso en el archi... • https://github.com/mbadanoiu/CVE-2023-49964 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-32828 – Regular expression Denial of Service in MooTools
https://notcve.org/view.php?id=CVE-2021-32828
05 Jan 2023 — The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. • https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2022-23342
https://notcve.org/view.php?id=CVE-2022-23342
21 Jun 2022 — The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems. Hyland Onbase Application Server versiones anterior... • https://github.com/InitRoot/CVE-2022-23342 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25247
https://notcve.org/view.php?id=CVE-2020-25247
11 Sep 2020 — An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x through 19.8.9.1000. Directory traversal exists for writing to files, as demonstrated by the FileName parameter. Se detectó un problema en Hyland OnBase versiones hasta la 18.0.0.32 y versiones 19.x hasta 19.8.9.1000. Se presenta un salto de directorio para escribir en archivos, como es demostrado por el parámetro FileName • http://seclists.org/fulldisclosure/2020/Oct/9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25248
https://notcve.org/view.php?id=CVE-2020-25248
11 Sep 2020 — An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Directory traversal exists for reading files, as demonstrated by the FileName parameter. Se detectó un problema en Hyland OnBase hasta la versión 16.0.2.83 e inferior, versión 17.0.2.109 e inferior, versión 18.0.0.37 e inferior, versión 19.8.16.1000 e inferior y versión 20.3.10.1000 e inferior. Existe un recorrido de directorios para la lectura d... • http://seclists.org/fulldisclosure/2020/Oct/9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25249
https://notcve.org/view.php?id=CVE-2020-25249
11 Sep 2020 — An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. The server typically logs activity only when a client application specifies that logging is desired. This can be problematic for use cases in a regulated industry, where server-side logging is required in additional situations. Se detectó un problema en Hyland OnBase versión 16.0.2.83 e inferior, versión 17.0.2.109 e inferior, versión 18.0.0.37 e inferio... • https://seclists.org/fulldisclosure/2020/Sep/8 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25250
https://notcve.org/view.php?id=CVE-2020-25250
11 Sep 2020 — An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client applications can write arbitrary data to the server logs. Se detectó un problema en Hyland OnBase versión 16.0.2.83 e inferior, versión 17.0.2.109 e inferior, versión 18.0.0.37 e inferior, versión 19.8.16.1000 e inferior y versión 20.3.10.1000 e inferior. Las aplicaciones cliente pueden escribir datos arbitrarios en los registros del servidor • https://seclists.org/fulldisclosure/2020/Sep/8 •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2020-25251
https://notcve.org/view.php?id=CVE-2020-25251
11 Sep 2020 — An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. Client-side authentication is used for critical functions such as adding users or retrieving sensitive information. Se detectó un problema en Hyland OnBase versión 16.0.2.83 e inferior, versión 17.0.2.109 e inferior, versión 18.0.0.37 e inferior, versión 19.8.16.1000 e inferior y versión 20.3.10.1000 e inferior. La autenticación del lado del cliente se u... • https://seclists.org/fulldisclosure/2020/Sep/16 • CWE-287: Improper Authentication •