Cerebrate
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-66385 | Cri | 0.61 | — | 0.00 | Nov 28, 2025 | UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request. | ||
| CVE-2026-53901 | Hig | 0.50 | — | 0.00 | Jun 11, 2026 | Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still… | ||
| CVE-2026-53911 | Med | 0.34 | — | 0.00 | Jun 11, 2026 | Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit… | ||
| CVE-2026-53912 | Med | 0.26 | — | 0.00 | Jun 11, 2026 | Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses,… | ||
| CVE-2023-41908 | 0.00 | — | 0.00 | Sep 5, 2023 | Cerebrate before 1.15 lacks the Secure attribute for the session cookie. | |||
| CVE-2023-41363 | 0.00 | — | 0.00 | Aug 29, 2023 | In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. | |||
| CVE-2023-28883 | 0.00 | — | 0.01 | Mar 27, 2023 | In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. | |||
| CVE-2022-25318 | 0.00 | — | 0.01 | Feb 18, 2022 | An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups. | |||
| CVE-2022-25317 | 0.00 | — | 0.01 | Feb 18, 2022 | An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description. | |||
| CVE-2022-25320 | 0.00 | — | 0.01 | Feb 18, 2022 | An issue was discovered in Cerebrate through 1.4. Username enumeration could occur. | |||
| CVE-2022-25319 | 0.00 | — | 0.01 | Feb 18, 2022 | An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled. |
- risk 0.61cvss —epss 0.00
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.
- risk 0.50cvss —epss 0.00
Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still…
- risk 0.34cvss —epss 0.00
Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit…
- risk 0.26cvss —epss 0.00
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses,…
- CVE-2023-41908Sep 5, 2023risk 0.00cvss —epss 0.00
Cerebrate before 1.15 lacks the Secure attribute for the session cookie.
- CVE-2023-41363Aug 29, 2023risk 0.00cvss —epss 0.00
In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users.
- CVE-2023-28883Mar 27, 2023risk 0.00cvss —epss 0.01
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.
- CVE-2022-25318Feb 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.
- CVE-2022-25317Feb 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description.
- CVE-2022-25320Feb 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Cerebrate through 1.4. Username enumeration could occur.
- CVE-2022-25319Feb 18, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled.