Search
Search Results (11 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-53901 | 1 Cerebrate-project | 1 Cerebrate | 2026-06-11 | N/A |
| Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching. | ||||
| CVE-2025-66385 | 1 Cerebrate-project | 1 Cerebrate | 2026-04-15 | N/A |
| UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request. | ||||
| CVE-2023-26468 | 1 Cerebrate-project | 1 Cerebrate | 2025-03-12 | 9.1 Critical |
| Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. | ||||
| CVE-2023-28883 | 1 Cerebrate-project | 1 Cerebrate | 2025-02-19 | 9.8 Critical |
| In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. | ||||
| CVE-2023-41908 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 5.3 Medium |
| Cerebrate before 1.15 lacks the Secure attribute for the session cookie. | ||||
| CVE-2023-41363 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 4.3 Medium |
| In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. | ||||
| CVE-2022-25321 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component. | ||||
| CVE-2022-25320 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Cerebrate through 1.4. Username enumeration could occur. | ||||
| CVE-2022-25319 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 5.3 Medium |
| An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled. | ||||
| CVE-2022-25318 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups. | ||||
| CVE-2022-25317 | 1 Cerebrate-project | 1 Cerebrate | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description. | ||||
Page 1 of 1.