Erudika

erudika

7 CVEs • 2 products

Products (2)

Click to collapse

Toggle

CVEs (7)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-39354 1Erudika 1Scoold Apr 10, 2026 Apr 7, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplyi...Show more Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.Show less
CVE-2026-34832 1Erudika 1Scoold Apr 15, 2026 Apr 2, 2026 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete anothe...Show more Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.Show less
CVE-2024-50334 1Erudika 1Scoold Nov 8, 2024 Oct 29, 2024 8.7 HIGH· v4 5.3 MEDIUM· v3 N/A· v2 Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and ga...Show more Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.Show less
CVE-2022-1848 1Erudika 1Para Nov 21, 2024 May 24, 2022 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 Business Logic Errors in GitHub repository erudika/para prior to 1.45.11.
CVE-2022-1782 1Erudika 1Para Nov 21, 2024 May 18, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.
CVE-2022-1543 1Erudika 1Scoold Nov 21, 2024 Apr 29, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory...Show more Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.Show less
CVE-2021-46372 1Erudika 1Scoold Nov 21, 2024 Feb 18, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters.