Serpico

serpico

CVEs (7)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-12687 1Serpico Project 1Serpico Nov 21, 2024 May 7, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachment...Show more An issue was discovered in Serpico before 1.3.3. The /admin/attacments_backup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users (including administrators) from the database.Show less
CVE-2019-19859 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The Add Collaborator allows unlimited data via the author parameter, even if the data does not match anything in the database.
CVE-2019-19858 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/add_user/UID allows stored XSS via the author parameter.
CVE-2019-19857 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 6.5 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password scre...Show more An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. An admin can change their password without providing the current password, by using interfaces outside the Change Password screen. Thus, requiring the admin to enter an Old Password value on the Change Password screen does not enhance security. This is problematic in conjunction with XSS.Show less
CVE-2019-19856 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. The User Type on the admin/list_user page allows stored XSS via the type parameter.
CVE-2019-19855 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. admin/list_user allows stored XSS via the auth_type parameter.
CVE-2019-19854 1Serpico Project 1Serpico Nov 21, 2024 Jan 15, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is...Show more An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator.Show less