Security Vulnerabilities
The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-18
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-18
HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-11-18
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-11-18
kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-18
DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-18
DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-11-18
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-11-18
kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-18
kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. The application fails to properly sanitize or parameterize user-supplied input from the demail parameter before incorporating it directly into a dynamic SQL query.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-18