Security Vulnerabilities
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-09-30
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-09-30
A Reflected Cross-Site Scripting (XSS) vulnerability was found in loginsystem/edit-profile.php of the PHPGurukul User Registration & Login and User Management System V3.3. This vulnerability allows remote attackers to execute arbitrary JavaScript code via the fname, lname, and contact parameters.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-09-30
In Frappe ERPNext v15.57.5, the function import_coa() at erpnext/accounts/doctype/chart_of_accounts_importer/chart_of_accounts_importer.py is vulnerable to SQL injection, which allows an attacker to extract all information from databases by injecting a SQL query into the company parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-30
In Frappe ErpNext v15.57.5, the function get_income_account() at erpnext/controllers/queries.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the filters.disabled parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-30
In Frappe ErpNext v15.57.5, the function get_timesheet_detail_rate() at erpnext/projects/doctype/timesheet/timesheet.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting SQL query into the timelog parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-30
In Frappe ERPNext 15.57.5, the function get_loyalty_program_details_with_points() at erpnext/accounts/doctype/loyalty_program/loyalty_program.py is vulnerable to SQL Injection, which allows an attacker to extract all information from databases by injecting a SQL query into the expiry_date parameter.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-30
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented 'printerlogic' user with a hardcoded SSH public key in '~/.ssh/authorized_keys' and a sudoers rule granting the printerlogic_ssh group 'NOPASSWD: ALL'. Possession of the matching private key gives an attacker root access to the appliance.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-09-30
Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs This vulnerability affects Firefox for iOS < 143.1.
CVSS Score
4.0
EPSS Score
0.0
Published
2025-09-30
This vulnerability affects Firefox < 143.0.3.
CVSS Score
8.6
EPSS Score
0.0
Published
2025-09-30