Security Vulnerabilities
AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-02-11
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
CVSS Score
5.3
EPSS Score
0.001
Published
2026-02-11
ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database information from the /database_backup/ directory.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-02-11
ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with root permissions through cron task manipulation.
CVSS Score
9.8
EPSS Score
0.002
Published
2026-02-11
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-02-11
A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secret in a single-factor authentication scheme gets compromised.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-02-11
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the /api/users endpoint.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-02-11
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the Command execution function.
CVSS Score
5.3
EPSS Score
0.001
Published
2026-02-11
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the admin parameter.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-11
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the api parameter of the oauth, amazon_sns, export endpoints.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-11