8.7
CVE-2025-21609 - SiYuan has an arbitrary file deletion vulnerability
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulβ¦
5.3
CVE-2024-56514 - Karmada Tar Slips in CRDs archive extraction
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resourcβ¦
8.7
CVE-2024-56513 - Karmada PULL Mode Cluster Privilege Escalation
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources.β¦
8.3
CVE-2024-56408 - PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Vβ¦
2.1
CVE-2024-56324 - GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additiβ¦
2.1
CVE-2024-56322 - GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scanβ¦
3.8
CVE-2024-56321 - GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. Iβ¦
9.4
CVE-2024-56320 - GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD useβ¦
4.2
CVE-2024-41780 - IBM Jazz Foundation information disclosure
IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry.
4.3
CVE-2024-5591 - IBM Jazz Foundation information disclosure
IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.