WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. More information : https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. More information : https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html
WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. More information : https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html
WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to...
app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. More information : https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields...
app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. More information : https://github.com/MISP/MISP/compare/v2.5.23…v2.5.24
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. More information : https://github.com/libexpat/libexpat/issues/1076
Mustang before 2.16.3 allows exfiltrating files via XXE attacks. More information : https://github.com/ZUGFeRD/mustangproject/issues/685
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. More information...
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server’s filesystem. More information : https://blog.kivitendo.de/?p=1415
Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
UAF vulnerability in the USB driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/
Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. More information : https://consumer.huawei.com/en/support/bulletin/2025/11/