VYPR
Vendor

Syspass

Products
1
CVEs
6
Across products
6
Status
Private

Products

1

Recent CVEs

6
  • CVE-2025-25477HigFeb 28, 2025
    risk 0.53cvss 8.1epss 0.00

    A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.

  • CVE-2017-5999HigMar 6, 2017
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of…

  • CVE-2025-25478MedFeb 28, 2025
    risk 0.42cvss 6.5epss 0.00

    The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the database password.

  • CVE-2024-42904MedSep 3, 2024
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.

  • CVE-2017-9306MedMay 31, 2017
    risk 0.40cvss 6.1epss 0.01

    inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to bypass the XSS filter, as demonstrated by use of an "<svg/onload=" substring instead of an "<svg onload=" substring.

  • CVE-2025-25476MedFeb 28, 2025
    risk 0.35cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or notification component.