CVE-2025-27913
- EPSS 0.06%
- Veröffentlicht 10.03.2025 00:00:00
- Zuletzt bearbeitet 19.06.2025 00:14:38
Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.
CVE-2024-33669
- EPSS 0.16%
- Veröffentlicht 26.04.2024 01:15:46
- Zuletzt bearbeitet 18.06.2025 19:26:21
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS q...
CVE-2024-33670
- EPSS 0.46%
- Veröffentlicht 26.04.2024 01:15:46
- Zuletzt bearbeitet 18.06.2025 19:16:31
Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restr...
CVE-2017-1000442
- EPSS 0.25%
- Veröffentlicht 02.01.2018 14:29:00
- Zuletzt bearbeitet 21.11.2024 03:04:44
Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace