Security Vulnerabilities
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameter 'name' at the endpoint '/subscriptions/create'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameter 'expense_name' at the endpoint '/expenses/expense'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameter 'company' at the endpoint '/clients/client/x.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
Improper restriction of XML external entity reference issue exists in DataSpider Servista 4.4 and earlier. If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is installed may be read, or a denial-of-service (DoS) condition may occur.
CVSS Score
8.2
EPSS Score
0.001
Published
2025-09-29
A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-09-29
A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Affected is the function uploadStudioFile of the component com.artery.form.services.FormStudioUpdater. This manipulation of the argument filepath causes path traversal. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-09-29
A vulnerability was found in mirweiye wenkucms up to 3.4. This impacts the function createPathOne of the file app/common/common.php. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
CVSS Score
6.3
EPSS Score
0.004
Published
2025-09-29
A flaw has been found in Tenda AC18 15.03.05.19. This impacts an unknown function of the file /goform/saveAutoQos. This manipulation of the argument enable causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-09-28