Vendor CVEs
Alfresco
All CVEs
38 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-29309 | Hig | 0.50 | 7.7 | 0.01 | May 2, 2024 | An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service. | ||
| CVE-2026-3967 | Med | 0.41 | 6.3 | 0.00 | Mar 12, 2026 | A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process… | ||
| CVE-2019-25367 | Med | 0.35 | 5.4 | 0.00 | Feb 15, 2026 | ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html… | ||
| CVE-2025-0557 | Med | 0.28 | 4.3 | 0.01 | Jan 18, 2025 | A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is… | ||
| CVE-2025-12547 | Low | 0.24 | 3.7 | 0.01 | Oct 31, 2025 | A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be… | ||
| CVE-2025-12546 | Low | 0.23 | 3.5 | 0.00 | Oct 31, 2025 | A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed… | ||
| CVE-2025-11946 | Low | 0.23 | 3.5 | 0.00 | Oct 19, 2025 | A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile… | ||
| CVE-2019-14223 | 0.04 | — | 0.04 | Sep 6, 2019 | An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious… | |||
| CVE-2020-8778 | 0.03 | — | 0.03 | Mar 2, 2020 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project. | |||
| CVE-2020-8777 | 0.03 | — | 0.03 | Mar 2, 2020 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document. | |||
| CVE-2020-8776 | 0.03 | — | 0.03 | Mar 2, 2020 | Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file. | |||
| CVE-2014-9302 | 0.03 | — | 0.02 | Dec 7, 2014 | Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter. | |||
| CVE-2014-9301 | 0.03 | — | 0.04 | Dec 7, 2014 | Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter. | |||
| CVE-2026-26336 | 0.00 | — | 0.00 | Feb 19, 2026 | Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files. | |||
| CVE-2025-57244 | 0.00 | — | 0.00 | Nov 5, 2025 | OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend… | |||
| CVE-2024-24506 | 0.00 | — | 0.01 | Apr 3, 2024 | Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function. | |||
| CVE-2023-39003 | 0.00 | — | 0.01 | Aug 9, 2023 | OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp. | |||
| CVE-2023-39004 | 0.00 | — | 0.01 | Aug 9, 2023 | Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation. | |||
| CVE-2023-38060 | 0.00 | — | 0.01 | Jul 24, 2023 | Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the… | |||
| CVE-2023-1250 | 0.00 | — | 0.00 | Mar 20, 2023 | Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This… | |||
| CVE-2023-1248 | 0.00 | — | 0.00 | Mar 20, 2023 | Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through… | |||
| CVE-2022-4427 | 0.00 | — | 0.01 | Dec 19, 2022 | Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1… | |||
| CVE-2020-18327 | 0.00 | — | 0.01 | Mar 4, 2022 | Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2 | |||
| CVE-2021-41792 | 0.00 | — | 0.01 | Oct 21, 2021 | An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request… | |||
| CVE-2021-41790 | 0.00 | — | 0.01 | Oct 21, 2021 | An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment. | |||
| CVE-2021-3628 | 0.00 | — | 0.01 | Aug 30, 2021 | OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter. | |||
| CVE-2021-36092 | 0.00 | — | 0.01 | Jul 26, 2021 | It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version… | |||
| CVE-2020-25727 | 0.00 | — | 0.01 | Sep 17, 2020 | The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field. | |||
| CVE-2020-25728 | 0.00 | — | 0.01 | Sep 17, 2020 | The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account. | |||
| CVE-2020-1771 | 0.00 | — | 0.01 | Mar 27, 2020 | Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior… | |||
| CVE-2019-19496 | 0.00 | — | 0.01 | Dec 2, 2019 | Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document. | |||
| CVE-2019-14222 | 0.00 | — | 0.03 | Sep 5, 2019 | An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default… | |||
| CVE-2019-14224 | 0.00 | — | 0.05 | Sep 5, 2019 | An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload… | |||
| CVE-2019-15566 | 0.00 | — | 0.02 | Aug 26, 2019 | The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java. | |||
| CVE-2015-3366 | 0.00 | — | 0.01 | Apr 21, 2015 | Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors. | |||
| CVE-2014-9300 | 0.00 | — | 0.01 | Dec 7, 2014 | Cross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs… | |||
| CVE-2014-2939 | 0.00 | — | 0.01 | Jun 2, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to share/page/task-edit. | |||
| CVE-2011-4949 | 0.00 | — | 0.02 | Aug 31, 2012 | SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id… |
- risk 0.50cvss 7.7epss 0.01
An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service.
- risk 0.41cvss 6.3epss 0.00
A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process…
- risk 0.35cvss 5.4epss 0.00
ArangoDB Community Edition 3.4.2-1 contains multiple cross-site scripting vulnerabilities in the Aardvark web admin interface (index.html) through search, user management, and API parameters. Attackers can inject scripts via parameters in /_db/_system/_admin/aardvark/index.html…
- risk 0.28cvss 4.3epss 0.01
A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is…
- risk 0.24cvss 3.7epss 0.01
A vulnerability was identified in LogicalDOC Community Edition up to 9.2.1. This vulnerability affects unknown code of the file /login.jsp of the component Admin Login Page. Such manipulation leads to improper restriction of excessive authentication attempts. The attack can be…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed…
- risk 0.23cvss 3.5epss 0.00
A security flaw has been discovered in LogicalDOC Community Edition up to 9.2.1. This issue affects some unknown processing of the file /frontend.jsp of the component Add Contact Page. Performing manipulation of the argument First Name/Last Name/Company/Address/Phone/Mobile…
- CVE-2019-14223Sep 6, 2019risk 0.04cvss —epss 0.04
An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious…
- CVE-2020-8778Mar 2, 2020risk 0.03cvss —epss 0.03
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
- CVE-2020-8777Mar 2, 2020risk 0.03cvss —epss 0.03
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
- CVE-2020-8776Mar 2, 2020risk 0.03cvss —epss 0.03
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.
- CVE-2014-9302Dec 7, 2014risk 0.03cvss —epss 0.02
Server-side request forgery (SSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition 5.0.a and earlier allows remote attackers to trigger outbound requests via a crafted URI in the url parameter.
- CVE-2014-9301Dec 7, 2014risk 0.03cvss —epss 0.04
Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.
- CVE-2026-26336Feb 19, 2026risk 0.00cvss —epss 0.00
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
- CVE-2025-57244Nov 5, 2025risk 0.00cvss —epss 0.00
OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend…
- CVE-2024-24506Apr 3, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
- CVE-2023-39003Aug 9, 2023risk 0.00cvss —epss 0.01
OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 was discovered to contain insecure permissions in the directory /tmp.
- CVE-2023-39004Aug 9, 2023risk 0.00cvss —epss 0.01
Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation.
- CVE-2023-38060Jul 24, 2023risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in the ContentType parameter for attachments on TicketCreate or TicketUpdate operations of the OTRS Generic Interface modules allows any authenticated attacker to to perform an host header injection for the ContentType header of the…
- CVE-2023-1250Mar 20, 2023risk 0.00cvss —epss 0.00
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This…
- CVE-2023-1248Mar 20, 2023risk 0.00cvss —epss 0.00
Improper Input Validation vulnerability in OTRS AG OTRS (Ticket Actions modules), OTRS AG ((OTRS)) Community Edition (Ticket Actions modules) allows Cross-Site Scripting (XSS).This issue affects OTRS: from 7.0.X before 7.0.42; ((OTRS)) Community Edition: from 6.0.1 through…
- CVE-2022-4427Dec 19, 2022risk 0.00cvss —epss 0.01
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1…
- CVE-2020-18327Mar 4, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2
- CVE-2021-41792Oct 21, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request…
- CVE-2021-41790Oct 21, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.
- CVE-2021-3628Aug 30, 2021risk 0.00cvss —epss 0.01
OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter.
- CVE-2021-36092Jul 26, 2021risk 0.00cvss —epss 0.01
It's possible to create an email which contains specially crafted link and it can be used to perform XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version…
- CVE-2020-25727Sep 17, 2020risk 0.00cvss —epss 0.01
The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field.
- CVE-2020-25728Sep 17, 2020risk 0.00cvss —epss 0.01
The Reset Password add-on before 1.2.0 for Alfresco has a broken algorithm (involving an increment) that allows a malicious user to change any user's account password include the admin account.
- CVE-2020-1771Mar 27, 2020risk 0.00cvss —epss 0.01
Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: ((OTRS)) Community Edition: 6.0.26 and prior…
- CVE-2019-19496Dec 2, 2019risk 0.00cvss —epss 0.01
Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
- CVE-2019-14222Sep 5, 2019risk 0.00cvss —epss 0.03
An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default…
- CVE-2019-14224Sep 5, 2019risk 0.00cvss —epss 0.05
An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload…
- CVE-2019-15566Aug 26, 2019risk 0.00cvss —epss 0.02
The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.
- CVE-2015-3366Apr 21, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.
- CVE-2014-9300Dec 7, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs…
- CVE-2014-2939Jun 2, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Alfresco Enterprise before 4.1.6.13 allow remote attackers to inject arbitrary web script or HTML via (1) an XHTML document, (2) a <% tag, or (3) the taskId parameter to share/page/task-edit.
- CVE-2011-4949Aug 31, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in phpgwapi/js/dhtmlxtree/samples/with_db/loaddetails.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to execute arbitrary SQL commands via the id…