Refine your search
8 vulnerabilities found for by Erudika
CVE-2026-39354 (GCVE-0-2026-39354)
Vulnerability from cvelistv5
Published
2026-04-07 18:54
Modified
2026-04-09 16:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39354",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T15:04:47.366387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:17:51.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Erudika/scoold/security/advisories/GHSA-768r-cv9p-wrcm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scoold",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.66.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scoold is a Q\u0026A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user\u0027s existing question by supplying that question\u0027s public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:54:36.133Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/scoold/security/advisories/GHSA-768r-cv9p-wrcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/scoold/security/advisories/GHSA-768r-cv9p-wrcm"
}
],
"source": {
"advisory": "GHSA-768r-cv9p-wrcm",
"discovery": "UNKNOWN"
},
"title": "Scoold has an Authenticated Arbitrary Question Overwrite via Client-Controlled postId in POST /questions/ask"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39354",
"datePublished": "2026-04-07T18:54:36.133Z",
"dateReserved": "2026-04-06T20:28:38.395Z",
"dateUpdated": "2026-04-09T16:17:51.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34832 (GCVE-0-2026-34832)
Vulnerability from cvelistv5
Published
2026-04-02 19:08
Modified
2026-04-03 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34832",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T14:43:03.105703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T14:43:14.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scoold",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.66.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scoold is a Q\u0026A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user\u0027s feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account\u0027s feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:08:03.206Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/scoold/security/advisories/GHSA-g5fv-xw88-vw44",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/scoold/security/advisories/GHSA-g5fv-xw88-vw44"
},
{
"name": "https://github.com/Erudika/scoold/commit/5def88c25405cc60482292bcceb45dc024e899fe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/scoold/commit/5def88c25405cc60482292bcceb45dc024e899fe"
},
{
"name": "https://github.com/Erudika/scoold/releases/tag/1.66.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/scoold/releases/tag/1.66.1"
}
],
"source": {
"advisory": "GHSA-g5fv-xw88-vw44",
"discovery": "UNKNOWN"
},
"title": "Scoold: Cross-Account Feedback Deletion (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34832",
"datePublished": "2026-04-02T19:08:03.206Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T14:43:14.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49009 (GCVE-0-2025-49009)
Vulnerability from cvelistv5
Published
2025-06-05 16:40
Modified
2025-06-17 13:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:54:10.822111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:54:23.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "para",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.50.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL being logged during a failed request to a Facebook user profile. The log includes the user\u0027s access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. Version 1.50.8 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T16:40:27.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g"
},
{
"name": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf"
}
],
"source": {
"advisory": "GHSA-qx7g-fx8q-545g",
"discovery": "UNKNOWN"
},
"title": "Para Inserts Sensitive Information into Log File for Facebook authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49009",
"datePublished": "2025-06-05T16:40:27.978Z",
"dateReserved": "2025-05-29T16:34:07.176Z",
"dateUpdated": "2025-06-17T13:54:23.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48955 (GCVE-0-2025-48955)
Vulnerability from cvelistv5
Published
2025-06-02 11:11
Modified
2025-06-02 16:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48955",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:46:31.470097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:47:02.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "para",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.50.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 exposes both access and secret keys in logs without redaction. These credentials are later reused in variable assignments for persistence but do not require logging for debugging or system health purposes. Version 1.50.8 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T11:11:22.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/para/security/advisories/GHSA-v75g-77vf-6jjq"
},
{
"name": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Erudika/para/commit/1e8a89558542854bb0683ab234c4429ad93b0835"
}
],
"source": {
"advisory": "GHSA-v75g-77vf-6jjq",
"discovery": "UNKNOWN"
},
"title": "Para Server Logs Sensitive Information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48955",
"datePublished": "2025-06-02T11:11:22.722Z",
"dateReserved": "2025-05-28T18:49:07.585Z",
"dateUpdated": "2025-06-02T16:47:02.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50334 (GCVE-0-2024-50334)
Vulnerability from cvelistv5
Published
2024-10-29 14:36
Modified
2024-10-29 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Summary
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:erudika:scoold:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scoold",
"vendor": "erudika",
"versions": [
{
"lessThan": "1.64.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:51:53.758265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:53:25.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scoold",
"vendor": "Erudika",
"versions": [
{
"status": "affected",
"version": "\u003c 1.64.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scoold is a Q\u0026A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T14:36:13.466Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Erudika/scoold/security/advisories/GHSA-fhwp-f6g7-rr3p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Erudika/scoold/security/advisories/GHSA-fhwp-f6g7-rr3p"
}
],
"source": {
"advisory": "GHSA-fhwp-f6g7-rr3p",
"discovery": "UNKNOWN"
},
"title": "Semicolon Path Injection on API /api;/config"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50334",
"datePublished": "2024-10-29T14:36:13.466Z",
"dateReserved": "2024-10-22T17:54:40.954Z",
"dateUpdated": "2024-10-29T14:53:25.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1848 (GCVE-0-2022-1848)
Vulnerability from cvelistv5
Published
2022-05-24 10:40
Modified
2024-08-03 00:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-840 - Business Logic Errors
Summary
Business Logic Errors in GitHub repository erudika/para prior to 1.45.11.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erudika | erudika/para |
Version: unspecified < 1.45.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.744Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8dfe0877-e44b-4a1a-8eee-5c03c93ae90a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erudika/para/commit/fa677c629842df60099daa9c23bd802bc41b48d1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "erudika/para",
"vendor": "erudika",
"versions": [
{
"lessThan": "1.45.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Business Logic Errors in GitHub repository erudika/para prior to 1.45.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "CWE-840 Business Logic Errors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T10:40:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8dfe0877-e44b-4a1a-8eee-5c03c93ae90a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erudika/para/commit/fa677c629842df60099daa9c23bd802bc41b48d1"
}
],
"source": {
"advisory": "8dfe0877-e44b-4a1a-8eee-5c03c93ae90a",
"discovery": "EXTERNAL"
},
"title": "Business Logic Errors in erudika/para",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1848",
"STATE": "PUBLIC",
"TITLE": "Business Logic Errors in erudika/para"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "erudika/para",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.45.11"
}
]
}
}
]
},
"vendor_name": "erudika"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Business Logic Errors in GitHub repository erudika/para prior to 1.45.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-840 Business Logic Errors"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8dfe0877-e44b-4a1a-8eee-5c03c93ae90a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8dfe0877-e44b-4a1a-8eee-5c03c93ae90a"
},
{
"name": "https://github.com/erudika/para/commit/fa677c629842df60099daa9c23bd802bc41b48d1",
"refsource": "MISC",
"url": "https://github.com/erudika/para/commit/fa677c629842df60099daa9c23bd802bc41b48d1"
}
]
},
"source": {
"advisory": "8dfe0877-e44b-4a1a-8eee-5c03c93ae90a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1848",
"datePublished": "2022-05-24T10:40:09.000Z",
"dateReserved": "2022-05-24T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:17:00.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1782 (GCVE-0-2022-1782)
Vulnerability from cvelistv5
Published
2022-05-18 09:00
Modified
2024-08-03 00:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erudika | erudika/para |
Version: unspecified < v1.45.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:16:59.850Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7555693f-94e4-4183-98cb-3497da6df028"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erudika/para/commit/9d844f31333475a0394dd14b901ea50674b281f8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "erudika/para",
"vendor": "erudika",
"versions": [
{
"lessThan": "v1.45.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-18T09:00:14.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7555693f-94e4-4183-98cb-3497da6df028"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erudika/para/commit/9d844f31333475a0394dd14b901ea50674b281f8"
}
],
"source": {
"advisory": "7555693f-94e4-4183-98cb-3497da6df028",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in erudika/para",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1782",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in erudika/para"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "erudika/para",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v1.45.11"
}
]
}
}
]
},
"vendor_name": "erudika"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/7555693f-94e4-4183-98cb-3497da6df028",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7555693f-94e4-4183-98cb-3497da6df028"
},
{
"name": "https://github.com/erudika/para/commit/9d844f31333475a0394dd14b901ea50674b281f8",
"refsource": "MISC",
"url": "https://github.com/erudika/para/commit/9d844f31333475a0394dd14b901ea50674b281f8"
}
]
},
"source": {
"advisory": "7555693f-94e4-4183-98cb-3497da6df028",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1782",
"datePublished": "2022-05-18T09:00:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:16:59.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1543 (GCVE-0-2022-1543)
Vulnerability from cvelistv5
Published
2022-04-29 18:10
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Summary
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| erudika | erudika/scoold |
Version: unspecified < 1.49.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/9889d435-3b9c-4e9d-93bc-5272e0723f9f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erudika/scoold/commit/62a0e92e1486ddc17676a7ead2c07ff653d167ce"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "erudika/scoold",
"vendor": "erudika",
"versions": [
{
"lessThan": "1.49.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-29T18:10:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/9889d435-3b9c-4e9d-93bc-5272e0723f9f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erudika/scoold/commit/62a0e92e1486ddc17676a7ead2c07ff653d167ce"
}
],
"source": {
"advisory": "9889d435-3b9c-4e9d-93bc-5272e0723f9f",
"discovery": "EXTERNAL"
},
"title": "Improper handling of Length parameter in erudika/scoold",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1543",
"STATE": "PUBLIC",
"TITLE": "Improper handling of Length parameter in erudika/scoold"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "erudika/scoold",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.49.4"
}
]
}
}
]
},
"vendor_name": "erudika"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-130 Improper Handling of Length Parameter Inconsistency"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/9889d435-3b9c-4e9d-93bc-5272e0723f9f",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/9889d435-3b9c-4e9d-93bc-5272e0723f9f"
},
{
"name": "https://github.com/erudika/scoold/commit/62a0e92e1486ddc17676a7ead2c07ff653d167ce",
"refsource": "MISC",
"url": "https://github.com/erudika/scoold/commit/62a0e92e1486ddc17676a7ead2c07ff653d167ce"
}
]
},
"source": {
"advisory": "9889d435-3b9c-4e9d-93bc-5272e0723f9f",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1543",
"datePublished": "2022-04-29T18:10:09.000Z",
"dateReserved": "2022-04-29T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}