Onenav
by Helloxz
Source repositories
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-33832 | Med | 0.41 | 6.3 | 0.03 | Apr 30, 2024 | OneNav v0.9.35-20240318 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /index.php?c=api&method=get_link_info. | ||
| CVE-2025-28096 | 0.00 | — | 0.00 | Mar 28, 2025 | OneNav 1.1.0 is vulnerable to Server-Side Request Forgery (SSRF) in custom headers. | |||
| CVE-2025-28097 | 0.00 | — | 0.00 | Mar 28, 2025 | OneNav 1.1.0 is vulnerable to Cross Site Scripting (XSS) in custom headers. | |||
| CVE-2023-7210 | 0.00 | — | 0.00 | Jan 7, 2024 | A vulnerability was found in OneNav up to 0.9.33. It has been classified as critical. This affects an unknown part of the file /index.php?c=api of the component API. The manipulation of the argument X-Token leads to improper authentication. It is possible to initiate the attack… | |||
| CVE-2022-26276 | 0.00 | — | 0.00 | Mar 12, 2022 | An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal. | |||
| CVE-2021-38138 | 0.00 | — | 0.00 | Aug 5, 2021 | OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release. |
- risk 0.41cvss 6.3epss 0.03
OneNav v0.9.35-20240318 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /index.php?c=api&method=get_link_info.
- CVE-2025-28096Mar 28, 2025risk 0.00cvss —epss 0.00
OneNav 1.1.0 is vulnerable to Server-Side Request Forgery (SSRF) in custom headers.
- CVE-2025-28097Mar 28, 2025risk 0.00cvss —epss 0.00
OneNav 1.1.0 is vulnerable to Cross Site Scripting (XSS) in custom headers.
- CVE-2023-7210Jan 7, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in OneNav up to 0.9.33. It has been classified as critical. This affects an unknown part of the file /index.php?c=api of the component API. The manipulation of the argument X-Token leads to improper authentication. It is possible to initiate the attack…
- CVE-2022-26276Mar 12, 2022risk 0.00cvss —epss 0.00
An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal.
- CVE-2021-38138Aug 5, 2021risk 0.00cvss —epss 0.00
OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.