https://db.gcve.eu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 30 Apr 2026 19:19:57 +0000 https://db.gcve.eu/sighting/188f3e9e-07e3-4744-b7cb-2bb161ff04f0/export {"uuid": "188f3e9e-07e3-4744-b7cb-2bb161ff04f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24900", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/41658", "content": "\u203c CVE-2022-24900 \u203c\n\nPiano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the \"malicious\" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-04-29T18:24:30.000000Z"} {"uuid": "188f3e9e-07e3-4744-b7cb-2bb161ff04f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24900", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/41658", "content": "\u203c CVE-2022-24900 \u203c\n\nPiano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the \"malicious\" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-04-29T18:24:30.000000Z"} https://db.gcve.eu/sighting/188f3e9e-07e3-4744-b7cb-2bb161ff04f0/export Fri, 29 Apr 2022 18:24:30 +0000 https://db.gcve.eu/sighting/cf2c13ec-48ba-4b5f-ad72-63244dd95187/export {"uuid": "cf2c13ec-48ba-4b5f-ad72-63244dd95187", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24902", "type": "seen", "source": "https://t.me/cibsecurity/42080", "content": "\u203c CVE-2022-24902 \u203c\n\nTkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version 2.0.0 or later.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-06T07:22:06.000000Z"} {"uuid": "cf2c13ec-48ba-4b5f-ad72-63244dd95187", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24902", "type": "seen", "source": "https://t.me/cibsecurity/42080", "content": "\u203c CVE-2022-24902 \u203c\n\nTkVideoplayer is a simple library to play video files in tkinter. Uncontrolled memory consumption in versions of TKVideoplayer prior to 2.0.0 can theoretically lead to performance degradation. There are no known workarounds. This issue has been patched and users are advised to upgrade to version 2.0.0 or later.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-06T07:22:06.000000Z"} https://db.gcve.eu/sighting/cf2c13ec-48ba-4b5f-ad72-63244dd95187/export Fri, 06 May 2022 07:22:06 +0000 https://db.gcve.eu/sighting/c58232d6-6e45-46e5-b780-c73e9cc9d02c/export {"uuid": "c58232d6-6e45-46e5-b780-c73e9cc9d02c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24903", "type": "seen", "source": "https://t.me/cibsecurity/42082", "content": "\u203c CVE-2022-24903 \u203c\n\nRsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-06T07:22:08.000000Z"} {"uuid": "c58232d6-6e45-46e5-b780-c73e9cc9d02c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24903", "type": "seen", "source": "https://t.me/cibsecurity/42082", "content": "\u203c CVE-2022-24903 \u203c\n\nRsyslog is a rocket-fast system for log processing. Modules for TCP syslog reception have a potential heap buffer overflow when octet-counted framing is used. This can result in a segfault or some other malfunction. As of our understanding, this vulnerability can not be used for remote code execution. But there may still be a slight chance for experts to do that. The bug occurs when the octet count is read. While there is a check for the maximum number of octets, digits are written to a heap buffer even when the octet count is over the maximum, This can be used to overrun the memory buffer. However, once the sequence of digits stop, no additional characters can be added to the buffer. In our opinion, this makes remote exploits impossible or at least highly complex. Octet-counted framing is one of two potential framing modes. It is relatively uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are used for regular syslog message reception. It is best practice not to directly expose them to the public. When this practice is followed, the risk is considerably lower. Module `imdiag` is a diagnostics module primarily intended for testbench runs. We do not expect it to be present on any production installation. Octet-counted framing is not very common. Usually, it needs to be specifically enabled at senders. If users do not need it, they can turn it off for the most important modules. This will mitigate the vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-06T07:22:08.000000Z"} https://db.gcve.eu/sighting/c58232d6-6e45-46e5-b780-c73e9cc9d02c/export Fri, 06 May 2022 07:22:08 +0000 https://db.gcve.eu/sighting/3ecefc25-4a24-4c36-957c-9da95d5ee9e1/export {"uuid": "3ecefc25-4a24-4c36-957c-9da95d5ee9e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24905", "type": "seen", "source": "https://t.me/cibsecurity/43059", "content": "\u203c CVE-2022-24905 \u203c\n\nArgo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T18:31:29.000000Z"} {"uuid": "3ecefc25-4a24-4c36-957c-9da95d5ee9e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24905", "type": "seen", "source": "https://t.me/cibsecurity/43059", "content": "\u203c CVE-2022-24905 \u203c\n\nArgo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T18:31:29.000000Z"} https://db.gcve.eu/sighting/3ecefc25-4a24-4c36-957c-9da95d5ee9e1/export Fri, 20 May 2022 18:31:29 +0000 https://db.gcve.eu/sighting/8d527cc7-2e54-4080-a270-5c8545f89b99/export {"uuid": "8d527cc7-2e54-4080-a270-5c8545f89b99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24904", "type": "seen", "source": "https://t.me/cibsecurity/43062", "content": "\u203c CVE-2022-24904 \u203c\n\nArgo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T18:31:33.000000Z"} {"uuid": "8d527cc7-2e54-4080-a270-5c8545f89b99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24904", "type": "seen", "source": "https://t.me/cibsecurity/43062", "content": "\u203c CVE-2022-24904 \u203c\n\nArgo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T18:31:33.000000Z"} https://db.gcve.eu/sighting/8d527cc7-2e54-4080-a270-5c8545f89b99/export Fri, 20 May 2022 18:31:33 +0000 https://db.gcve.eu/sighting/c0a0da2b-a7d6-40e0-bdd1-df118540a2cd/export {"uuid": "c0a0da2b-a7d6-40e0-bdd1-df118540a2cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24906", "type": "seen", "source": "https://t.me/cibsecurity/43074", "content": "\u203c CVE-2022-24906 \u203c\n\nNextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T20:30:51.000000Z"} {"uuid": "c0a0da2b-a7d6-40e0-bdd1-df118540a2cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24906", "type": "seen", "source": "https://t.me/cibsecurity/43074", "content": "\u203c CVE-2022-24906 \u203c\n\nNextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-05-20T20:30:51.000000Z"} https://db.gcve.eu/sighting/c0a0da2b-a7d6-40e0-bdd1-df118540a2cd/export Fri, 20 May 2022 20:30:51 +0000 https://db.gcve.eu/sighting/b2dd19e8-9d6f-4020-a70c-6d1a78997cb4/export {"uuid": "b2dd19e8-9d6f-4020-a70c-6d1a78997cb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-2490", "type": "seen", "source": "https://t.me/cibsecurity/46644", "content": "\u203c CVE-2022-2490 \u203c\n\nA vulnerability classified as critical has been found in SourceCodester Simple E-Learning System 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument classCode with the input 1'||(SELECT 0x74666264 WHERE 5610=5610 AND (SELECT 7504 FROM(SELECT COUNT(*),CONCAT(0x7171627a71,(SELECT (ELT(7504=7504,1))),0x71717a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||' leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-20T16:20:04.000000Z"} {"uuid": "b2dd19e8-9d6f-4020-a70c-6d1a78997cb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-2490", "type": "seen", "source": "https://t.me/cibsecurity/46644", "content": "\u203c CVE-2022-2490 \u203c\n\nA vulnerability classified as critical has been found in SourceCodester Simple E-Learning System 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument classCode with the input 1'||(SELECT 0x74666264 WHERE 5610=5610 AND (SELECT 7504 FROM(SELECT COUNT(*),CONCAT(0x7171627a71,(SELECT (ELT(7504=7504,1))),0x71717a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||' leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-07-20T16:20:04.000000Z"} https://db.gcve.eu/sighting/b2dd19e8-9d6f-4020-a70c-6d1a78997cb4/export Wed, 20 Jul 2022 16:20:04 +0000 https://db.gcve.eu/sighting/514f18bd-f978-4904-8863-063a6afd11cd/export {"uuid": "514f18bd-f978-4904-8863-063a6afd11cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24908", "type": "seen", "source": "https://t.me/cibsecurity/60913", "content": "\u203c CVE-2022-24908 \u203c\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16187.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-28T22:39:49.000000Z"} {"uuid": "514f18bd-f978-4904-8863-063a6afd11cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24908", "type": "seen", "source": "https://t.me/cibsecurity/60913", "content": "\u203c CVE-2022-24908 \u203c\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16187.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-28T22:39:49.000000Z"} https://db.gcve.eu/sighting/514f18bd-f978-4904-8863-063a6afd11cd/export Tue, 28 Mar 2023 22:39:49 +0000 https://db.gcve.eu/sighting/4b9df373-48de-4eb3-a05e-09b529f4761b/export {"uuid": "4b9df373-48de-4eb3-a05e-09b529f4761b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24907", "type": "seen", "source": "https://t.me/cibsecurity/60920", "content": "\u203c CVE-2022-24907 \u203c\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16186.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-28T22:39:58.000000Z"} {"uuid": "4b9df373-48de-4eb3-a05e-09b529f4761b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24907", "type": "seen", "source": "https://t.me/cibsecurity/60920", "content": "\u203c CVE-2022-24907 \u203c\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 images. Crafted data in a JP2 image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16186.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-28T22:39:58.000000Z"} https://db.gcve.eu/sighting/4b9df373-48de-4eb3-a05e-09b529f4761b/export Tue, 28 Mar 2023 22:39:58 +0000 https://db.gcve.eu/sighting/1276da88-0a31-4e22-ba8d-cbef322acdf9/export {"uuid": "1276da88-0a31-4e22-ba8d-cbef322acdf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24906", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12922", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-24906\n\ud83d\udd25 CVSS Score: 3.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.\n\ud83d\udccf Published: 2022-05-20T15:40:17.000Z\n\ud83d\udccf Modified: 2025-04-22T18:00:53.353Z\n\ud83d\udd17 References:\n1. https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp\n2. https://github.com/nextcloud/deck/pull/3384\n3. https://hackerone.com/reports/1354334", "creation_timestamp": "2025-04-22T18:03:36.000000Z"} {"uuid": "1276da88-0a31-4e22-ba8d-cbef322acdf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-24906", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12922", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-24906\n\ud83d\udd25 CVSS Score: 3.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.\n\ud83d\udccf Published: 2022-05-20T15:40:17.000Z\n\ud83d\udccf Modified: 2025-04-22T18:00:53.353Z\n\ud83d\udd17 References:\n1. https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hx9w-xfrg-2qvp\n2. https://github.com/nextcloud/deck/pull/3384\n3. https://hackerone.com/reports/1354334", "creation_timestamp": "2025-04-22T18:03:36.000000Z"} https://db.gcve.eu/sighting/1276da88-0a31-4e22-ba8d-cbef322acdf9/export Tue, 22 Apr 2025 18:03:36 +0000