VYPR

OneNav

by OneNav

CVEs (5)

  • CVE-2021-38712HigAug 16, 2021
    risk 0.49cvss 7.5epss 0.01

    OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file.

  • CVE-2024-33832MedApr 30, 2024
    risk 0.41cvss 6.3epss 0.01

    OneNav v0.9.35-20240318 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /index.php?c=api&method=get_link_info.

  • CVE-2025-28097MedMar 28, 2025
    risk 0.36cvss 5.5epss 0.00

    OneNav 1.1.0 is vulnerable to Cross Site Scripting (XSS) in custom headers.

  • CVE-2025-28096MedMar 28, 2025
    risk 0.35cvss 5.4epss 0.00

    OneNav 1.1.0 is vulnerable to Server-Side Request Forgery (SSRF) in custom headers.

  • CVE-2021-38138MedAug 5, 2021
    risk 0.35cvss 5.4epss 0.01

    OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.