VYPR

Vendor CVEs

Alfresco

All CVEs

38 total · sorted by risk
  • CVE-2024-29309HigMay 2, 2024
    risk 0.50cvss 7.7epss 0.01

    An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service.

  • CVE-2026-3967MedMar 12, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process…

  • CVE-2019-25367MedFeb 15, 2026
    risk 0.35cvss 5.4epss 0.00

    ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html…

  • CVE-2025-0557MedJan 18, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is…

  • CVE-2025-12547LowOct 31, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be…

  • CVE-2025-12546LowOct 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed…

  • CVE-2025-11946LowOct 19, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile…

  • CVE-2019-14223Sep 6, 2019
    risk 0.04cvss epss 0.04

    An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious…

  • CVE-2020-8778Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.

  • CVE-2020-8777Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.

  • CVE-2020-8776Mar 2, 2020
    risk 0.03cvss epss 0.03

    Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.

  • CVE-2014-9302Dec 7, 2014
    risk 0.03cvss epss 0.02

    Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter.

  • CVE-2014-9301Dec 7, 2014
    risk 0.03cvss epss 0.04

    Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

  • CVE-2026-26336Feb 19, 2026
    risk 0.00cvss epss 0.00

    Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.

  • CVE-2025-57244Nov 5, 2025
    risk 0.00cvss epss 0.00

    OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend…

  • CVE-2024-24506Apr 3, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.

  • CVE-2023-39003Aug 9, 2023
    risk 0.00cvss epss 0.01

    OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.

  • CVE-2023-39004Aug 9, 2023
    risk 0.00cvss epss 0.01

    Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.

  • CVE-2023-38060Jul 24, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the…

  • CVE-2023-1250Mar 20, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This…

  • CVE-2023-1248Mar 20, 2023
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through…

  • CVE-2022-4427Dec 19, 2022
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1…

  • CVE-2020-18327Mar 4, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2

  • CVE-2021-41792Oct 21, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request…

  • CVE-2021-41790Oct 21, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.

  • CVE-2021-3628Aug 30, 2021
    risk 0.00cvss epss 0.01

    OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.

  • CVE-2021-36092Jul 26, 2021
    risk 0.00cvss epss 0.01

    It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version…

  • CVE-2020-25727Sep 17, 2020
    risk 0.00cvss epss 0.01

    The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field.

  • CVE-2020-25728Sep 17, 2020
    risk 0.00cvss epss 0.01

    The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account.

  • CVE-2020-1771Mar 27, 2020
    risk 0.00cvss epss 0.01

    Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior…

  • CVE-2019-19496Dec 2, 2019
    risk 0.00cvss epss 0.01

    Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.

  • CVE-2019-14222Sep 5, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default…

  • CVE-2019-14224Sep 5, 2019
    risk 0.00cvss epss 0.05

    An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload…

  • CVE-2019-15566Aug 26, 2019
    risk 0.00cvss epss 0.02

    The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.

  • CVE-2015-3366Apr 21, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.

  • CVE-2014-9300Dec 7, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs…

  • CVE-2014-2939Jun 2, 2014
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to share/page/task-edit.

  • CVE-2011-4949Aug 31, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id…