Vulnerabilites related to jhumanj - opnform
CVE-2025-11439 (GCVE-0-2025-11439)
Vulnerability from cvelistv5
Published
2025-10-08 06:32
Modified
2025-10-08 17:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327376 | vdb-entry | |
https://vuldb.com/?ctiid.327376 | signature, permissions-required | |
https://vuldb.com/?submit.666880 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.reuyi9lwvpj | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/11d97d78f2de2cb49f79baed6bde8b611ec1f384 | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11439", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T17:27:53.699854Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T17:28:05.301Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue." }, { "lang": "de", "value": "Eine Schwachstelle wurde in JhumanJ OpnForm up to 1.9.3 gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /show/integrations. Dank der Manipulation mit unbekannten Daten kann eine missing authorization-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden. Der Patch heisst 11d97d78f2de2cb49f79baed6bde8b611ec1f384. Es wird empfohlen, einen Patch anzuwenden, um dieses Problem zu beheben." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-863", "description": "Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T06:32:09.874Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327376 | JhumanJ OpnForm integrations authorization", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327376" }, { "name": "VDB-327376 | CTI Indicators (IOB, IOC, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327376" }, { "name": "Submit #666880 | GitHub OpnForm 1.9.3 Improper Access Controls", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666880" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.reuyi9lwvpj" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/11d97d78f2de2cb49f79baed6bde8b611ec1f384" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:47.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm integrations authorization" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11439", "datePublished": "2025-10-08T06:32:09.874Z", "dateReserved": "2025-10-07T13:17:21.002Z", "dateUpdated": "2025-10-08T17:28:05.301Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11442 (GCVE-0-2025-11442)
Vulnerability from cvelistv5
Published
2025-10-08 07:32
Modified
2025-10-08 13:19
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RC:C
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RC:C
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RC:C
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RC:C
VLAI Severity ?
EPSS score ?
Summary
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327379 | vdb-entry | |
https://vuldb.com/?ctiid.327379 | signature, permissions-required | |
https://vuldb.com/?submit.666889 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq | exploit |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11442", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T13:19:42.485117Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T13:19:45.546Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "modules": [ "API Endpoint" ], "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access." }, { "lang": "de", "value": "In JhumanJ OpnForm up to 1.9.3 ist eine Schwachstelle entdeckt worden. Dabei geht es um eine nicht genauer bekannte Funktion der Komponente API Endpoint. Durch die Manipulation mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-352", "description": "Cross-Site Request Forgery", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T07:32:05.380Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327379 | JhumanJ OpnForm API Endpoint cross-site request forgery", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327379" }, { "name": "VDB-327379 | CTI Indicators (IOB, IOC)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327379" }, { "name": "Submit #666889 | GitHub OpnForm 1.9.3 Cross-Site Request Forgery", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666889" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:52.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm API Endpoint cross-site request forgery" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11442", "datePublished": "2025-10-08T07:32:05.380Z", "dateReserved": "2025-10-07T13:17:31.034Z", "dateUpdated": "2025-10-08T13:19:45.546Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11436 (GCVE-0-2025-11436)
Vulnerability from cvelistv5
Published
2025-10-08 05:32
Modified
2025-10-08 17:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327373 | vdb-entry | |
https://vuldb.com/?ctiid.327373 | signature, permissions-required | |
https://vuldb.com/?submit.666877 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11436", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T17:38:23.411540Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T17:40:25.931Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue." }, { "lang": "de", "value": "Es wurde eine Schwachstelle in JhumanJ OpnForm up to 1.9.3 entdeckt. Betroffen ist eine unbekannte Verarbeitung der Datei /answer. Die Manipulation f\u00fchrt zu unrestricted upload. Es ist m\u00f6glich, den Angriff aus der Ferne durchzuf\u00fchren. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden. Der Patch wird als 95c3e23856465d202e6aec10bdb6ee0688b5305a bezeichnet. Es empfiehlt sich, einen Patch einzuspielen, um dieses Problem zu beheben." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-434", "description": "Unrestricted Upload", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-284", "description": "Improper Access Controls", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T05:32:12.472Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327373 | JhumanJ OpnForm answer unrestricted upload", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327373" }, { "name": "VDB-327373 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327373" }, { "name": "Submit #666877 | GitHub OpnForm 1.9.3 Unrestricted Upload", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666877" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:42.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm answer unrestricted upload" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11436", "datePublished": "2025-10-08T05:32:12.472Z", "dateReserved": "2025-10-07T13:17:12.844Z", "dateUpdated": "2025-10-08T17:40:25.931Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11443 (GCVE-0-2025-11443)
Vulnerability from cvelistv5
Published
2025-10-08 07:32
Modified
2025-10-08 13:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327380 | vdb-entry | |
https://vuldb.com/?ctiid.327380 | signature, permissions-required | |
https://vuldb.com/?submit.666890 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp | exploit |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11443", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T13:16:40.931373Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T13:16:46.766Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "modules": [ "Forgotten Password Handler" ], "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken." }, { "lang": "de", "value": "Eine Schwachstelle wurde in JhumanJ OpnForm up to 1.9.3 gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /api/password/email der Komponente Forgotten Password Handler. Durch Manipulation mit unbekannten Daten kann eine information exposure through discrepancy-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Angriff erfordert eine vergleichsweise hohe Komplexit\u00e4t. Sie gilt als schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." } ], "metrics": [ { "cvssV4_0": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-203", "description": "Information Exposure Through Discrepancy", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-200", "description": "Information Disclosure", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T07:32:07.900Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327380 | JhumanJ OpnForm Forgotten Password email information exposure", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327380" }, { "name": "VDB-327380 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327380" }, { "name": "Submit #666890 | GitHub OpnForm 1.9.3 Account Enumeration on Password Recovery", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666890" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:53.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm Forgotten Password email information exposure" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11443", "datePublished": "2025-10-08T07:32:07.900Z", "dateReserved": "2025-10-07T13:17:33.700Z", "dateUpdated": "2025-10-08T13:16:46.766Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11440 (GCVE-0-2025-11440)
Vulnerability from cvelistv5
Published
2025-10-08 07:02
Modified
2025-10-08 13:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327377 | vdb-entry | |
https://vuldb.com/?ctiid.327377 | signature, permissions-required | |
https://vuldb.com/?submit.666881 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5 | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/b15e29021d326be127193a5dbbd528c4e37e6324 | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11440", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T13:48:03.045413Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T13:48:06.257Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue." }, { "lang": "de", "value": "Es wurde eine Schwachstelle in JhumanJ OpnForm up to 1.9.3 entdeckt. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei /edit. Dank Manipulation mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Der Patch tr\u00e4gt den Namen b15e29021d326be127193a5dbbd528c4e37e6324. Es wird geraten, einen Patch zu installieren, um dieses Problem zu l\u00f6sen." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "Improper Access Controls", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T07:02:07.818Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327377 | JhumanJ OpnForm edit access control", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327377" }, { "name": "VDB-327377 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327377" }, { "name": "Submit #666881 | GitHub OpnForm 1.9.3 Improper Access Controls", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666881" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/b15e29021d326be127193a5dbbd528c4e37e6324" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:49.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm edit access control" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11440", "datePublished": "2025-10-08T07:02:07.818Z", "dateReserved": "2025-10-07T13:17:24.556Z", "dateUpdated": "2025-10-08T13:48:06.257Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11435 (GCVE-0-2025-11435)
Vulnerability from cvelistv5
Published
2025-10-08 05:32
Modified
2025-10-08 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327372 | vdb-entry | |
https://vuldb.com/?ctiid.327372 | signature, permissions-required | |
https://vuldb.com/?submit.666876 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608 | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11435", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T17:42:26.475817Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T17:42:52.233Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch." }, { "lang": "de", "value": "Eine Schwachstelle wurde in JhumanJ OpnForm up to 1.9.3 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei /show/submissions. Durch Beeinflussen mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Der Patch tr\u00e4gt den Namen a2af1184e53953afa8cb052f4055f288adcaa608. Es wird geraten, einen Patch zu installieren, um dieses Problem zu l\u00f6sen." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Cross Site Scripting", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-94", "description": "Code Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T05:32:08.513Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327372 | JhumanJ OpnForm submissions cross site scripting", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327372" }, { "name": "VDB-327372 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327372" }, { "name": "Submit #666876 | GitHub OpnForm 1.9.3 Cross Site Scripting", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666876" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:41.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm submissions cross site scripting" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11435", "datePublished": "2025-10-08T05:32:08.513Z", "dateReserved": "2025-10-07T13:17:05.711Z", "dateUpdated": "2025-10-08T17:42:52.233Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11441 (GCVE-0-2025-11441)
Vulnerability from cvelistv5
Published
2025-10-08 07:02
Modified
2025-10-08 13:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327378 | vdb-entry, technical-description | |
https://vuldb.com/?ctiid.327378 | signature, permissions-required | |
https://vuldb.com/?submit.666888 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3 | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11441", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T13:47:23.607500Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T13:47:26.751Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "modules": [ "HTTP Header Handler" ], "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue." }, { "lang": "de", "value": "In JhumanJ OpnForm up to 1.9.3 wurde eine Schwachstelle gefunden. Es geht dabei um eine nicht klar definierte Funktion der Komponente HTTP Header Handler. Mit der Manipulation des Arguments X-Forwarded-For mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Das Durchf\u00fchren eines Angriffs ist mit einer relativ hohen Komplexit\u00e4t verbunden. Die Ausnutzung wird als schwierig beschrieben. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden. Der Patch wird als 11e99960e14ca986b1a001a56e7533223d2cfa5b bezeichnet. Es empfiehlt sich, einen Patch einzuspielen, um dieses Problem zu beheben." } ], "metrics": [ { "cvssV4_0": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-307", "description": "Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-799", "description": "Improper Control of Interaction Frequency", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T07:02:11.296Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327378 | JhumanJ OpnForm HTTP Header excessive authentication", "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.327378" }, { "name": "VDB-327378 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327378" }, { "name": "Submit #666888 | GitHub OpnForm 1.9.3 Authentication Bypass by Spoofing", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666888" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:50.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm HTTP Header excessive authentication" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11441", "datePublished": "2025-10-08T07:02:11.296Z", "dateReserved": "2025-10-07T13:17:27.203Z", "dateUpdated": "2025-10-08T13:47:26.751Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11438 (GCVE-0-2025-11438)
Vulnerability from cvelistv5
Published
2025-10-08 06:32
Modified
2025-10-08 17:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327375 | vdb-entry | |
https://vuldb.com/?ctiid.327375 | signature, permissions-required | |
https://vuldb.com/?submit.666879 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.gm61tyll8uys | exploit | |
https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20 | issue-tracking, patch |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11438", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T17:29:10.324171Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T17:32:06.050Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "modules": [ "API Endpoint" ], "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue." }, { "lang": "de", "value": "In JhumanJ OpnForm up to 1.9.3 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist ein unbekannter Ablauf der Datei /custom-domains der Komponente API Endpoint. Die Bearbeitung verursacht missing authorization. Der Angriff kann remote ausgef\u00fchrt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Name des Patches ist beb153ce52dceb971c1518f98333328c95f1ba20. Als bestm\u00f6gliche Massnahme wird Patching empfohlen." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-863", "description": "Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T06:32:06.726Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327375 | JhumanJ OpnForm API Endpoint custom-domains authorization", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327375" }, { "name": "VDB-327375 | CTI Indicators (IOB, IOC, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327375" }, { "name": "Submit #666879 | GitHub OpnForm 1.9.3 Improper Access Controls", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666879" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.gm61tyll8uys" }, { "tags": [ "issue-tracking", "patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:45.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm API Endpoint custom-domains authorization" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11438", "datePublished": "2025-10-08T06:32:06.726Z", "dateReserved": "2025-10-07T13:17:18.151Z", "dateUpdated": "2025-10-08T17:32:06.050Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-11437 (GCVE-0-2025-11437)
Vulnerability from cvelistv5
Published
2025-10-08 06:02
Modified
2025-10-08 17:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.
References
▼ | URL | Tags |
---|---|---|
https://vuldb.com/?id.327374 | vdb-entry | |
https://vuldb.com/?ctiid.327374 | signature, permissions-required | |
https://vuldb.com/?submit.666878 | third-party-advisory | |
https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8 | exploit |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-11437", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-08T17:34:10.693569Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-08T17:37:01.494Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "modules": [ "Form Editor" ], "product": "OpnForm", "vendor": "JhumanJ", "versions": [ { "status": "affected", "version": "1.9.0" }, { "status": "affected", "version": "1.9.1" }, { "status": "affected", "version": "1.9.2" }, { "status": "affected", "version": "1.9.3" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "balejin (VulDB User)" } ], "descriptions": [ { "lang": "en", "value": "A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector." }, { "lang": "de", "value": "In JhumanJ OpnForm up to 1.9.3 wurde eine Schwachstelle gefunden. Betroffen davon ist ein unbekannter Prozess der Datei /api/open/forms/ der Komponente Form Editor. Die Ver\u00e4nderung resultiert in cross site scripting. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden." } ], "metrics": [ { "cvssV4_0": { "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:C", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Cross Site Scripting", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-94", "description": "Code Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-08T06:02:06.384Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-327374 | JhumanJ OpnForm Form Editor forms cross site scripting", "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.327374" }, { "name": "VDB-327374 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.327374" }, { "name": "Submit #666878 | GitHub OpnForm 1.9.3 Cross Site Scripting", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.666878" }, { "tags": [ "exploit" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8" } ], "timeline": [ { "lang": "en", "time": "2025-10-07T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-10-07T02:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-10-07T15:22:44.000Z", "value": "VulDB entry last update" } ], "title": "JhumanJ OpnForm Form Editor forms cross site scripting" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2025-11437", "datePublished": "2025-10-08T06:02:06.384Z", "dateReserved": "2025-10-07T13:17:15.574Z", "dateUpdated": "2025-10-08T17:37:01.494Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Vulnerability from fkie_nvd
Published
2025-10-08 08:15
Modified
2025-10-09 16:14
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp | Exploit, Third Party Advisory | |
cna@vuldb.com | https://vuldb.com/?ctiid.327380 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327380 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666890 | Third Party Advisory, VDB Entry | |
134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp | Exploit, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken." } ], "id": "CVE-2025-11443", "lastModified": "2025-10-09T16:14:51.700", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T08:15:32.697", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327380" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327380" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666890" }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.my0ldciyllp" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-200" }, { "lang": "en", "value": "CWE-203" } ], "source": "cna@vuldb.com", "type": "Secondary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 06:15
Modified
2025-10-09 16:19
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327373 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327373 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666877 | Third Party Advisory, VDB Entry |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A vulnerability was detected in JhumanJ OpnForm up to 1.9.3. Affected by this issue is some unknown functionality of the file /answer. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. The patch is identified as 95c3e23856465d202e6aec10bdb6ee0688b5305a. It is advisable to implement a patch to correct this issue." } ], "id": "CVE-2025-11436", "lastModified": "2025-10-09T16:19:29.323", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T06:15:34.883", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.dm5ttliupfqn" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/95c3e23856465d202e6aec10bdb6ee0688b5305a" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327373" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327373" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666877" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-284" }, { "lang": "en", "value": "CWE-434" } ], "source": "cna@vuldb.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 07:15
Modified
2025-10-09 16:17
Severity ?
Summary
A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.gm61tyll8uys | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20 | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327375 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327375 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666879 | Third Party Advisory, VDB Entry |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is beb153ce52dceb971c1518f98333328c95f1ba20. It is best practice to apply a patch to resolve this issue." } ], "id": "CVE-2025-11438", "lastModified": "2025-10-09T16:17:50.810", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T07:15:31.283", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.gm61tyll8uys" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/beb153ce52dceb971c1518f98333328c95f1ba20" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327375" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327375" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666879" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-862" }, { "lang": "en", "value": "CWE-863" } ], "source": "cna@vuldb.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 07:15
Modified
2025-10-09 16:16
Severity ?
Summary
A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3 | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327378 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327378 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666888 | Third Party Advisory, VDB Entry | |
134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3 | Exploit, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A vulnerability was identified in JhumanJ OpnForm up to 1.9.3. The affected element is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is described as difficult. The exploit is publicly available and might be used. The identifier of the patch is 11e99960e14ca986b1a001a56e7533223d2cfa5b. It is suggested to install a patch to address this issue." } ], "id": "CVE-2025-11441", "lastModified": "2025-10-09T16:16:18.053", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T07:15:33.080", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327378" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327378" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666888" }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-307" }, { "lang": "en", "value": "CWE-799" } ], "source": "cna@vuldb.com", "type": "Secondary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 08:15
Modified
2025-10-09 16:15
Severity ?
Summary
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq | Exploit, Third Party Advisory | |
cna@vuldb.com | https://vuldb.com/?ctiid.327379 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327379 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666889 | Third Party Advisory, VDB Entry | |
134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq | Exploit, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through means such as XSS which were mitigated, disabling any form of initial access." } ], "id": "CVE-2025-11442", "lastModified": "2025-10-09T16:15:49.933", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T08:15:32.000", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327379" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327379" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666889" }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-352" }, { "lang": "en", "value": "CWE-862" } ], "source": "cna@vuldb.com", "type": "Secondary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 06:15
Modified
2025-10-09 16:20
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608 | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327372 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327372 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666876 | Third Party Advisory, VDB Entry |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A security vulnerability has been detected in JhumanJ OpnForm up to 1.9.3. Affected by this vulnerability is an unknown functionality of the file /show/submissions. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is a2af1184e53953afa8cb052f4055f288adcaa608. To fix this issue, it is recommended to deploy a patch." } ], "id": "CVE-2025-11435", "lastModified": "2025-10-09T16:20:09.710", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T06:15:34.600", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327372" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327372" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666876" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" }, { "lang": "en", "value": "CWE-94" } ], "source": "cna@vuldb.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 06:15
Modified
2025-10-09 16:18
Severity ?
2.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8 | Exploit, Third Party Advisory | |
cna@vuldb.com | https://vuldb.com/?ctiid.327374 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327374 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666878 | Third Party Advisory, VDB Entry |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A flaw has been found in JhumanJ OpnForm up to 1.9.3. This affects an unknown part of the file /api/open/forms/ of the component Form Editor. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This issue is currently under review for additional handling. As of right now the vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector." } ], "id": "CVE-2025-11437", "lastModified": "2025-10-09T16:18:50.383", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "LOW", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" }, { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T06:15:35.130", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327374" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327374" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666878" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-79" }, { "lang": "en", "value": "CWE-94" } ], "source": "cna@vuldb.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 07:15
Modified
2025-10-09 16:18
Severity ?
Summary
A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.reuyi9lwvpj | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/11d97d78f2de2cb49f79baed6bde8b611ec1f384 | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327376 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327376 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666880 | Third Party Advisory, VDB Entry |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in JhumanJ OpnForm up to 1.9.3. This issue affects some unknown processing of the file /show/integrations. Performing manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named 11d97d78f2de2cb49f79baed6bde8b611ec1f384. It is recommended to apply a patch to fix this issue." } ], "id": "CVE-2025-11439", "lastModified": "2025-10-09T16:18:15.197", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T07:15:32.597", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.reuyi9lwvpj" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/11d97d78f2de2cb49f79baed6bde8b611ec1f384" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327376" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327376" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666880" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-862" }, { "lang": "en", "value": "CWE-863" } ], "source": "cna@vuldb.com", "type": "Primary" } ] }
Vulnerability from fkie_nvd
Published
2025-10-08 07:15
Modified
2025-10-09 16:17
Severity ?
Summary
A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue.
References
▼ | URL | Tags | |
---|---|---|---|
cna@vuldb.com | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5 | Exploit, Third Party Advisory | |
cna@vuldb.com | https://github.com/JhumanJ/OpnForm/pull/900/commits/b15e29021d326be127193a5dbbd528c4e37e6324 | Patch | |
cna@vuldb.com | https://vuldb.com/?ctiid.327377 | Permissions Required, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?id.327377 | Third Party Advisory, VDB Entry | |
cna@vuldb.com | https://vuldb.com/?submit.666881 | Third Party Advisory, VDB Entry | |
134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5 | Exploit, Third Party Advisory |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:jhumanj:opnform:*:*:*:*:*:*:*:*", "matchCriteriaId": "C896A041-D9C4-42F0-9477-C57E07D6EFF6", "versionEndIncluding": "1.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "A vulnerability was determined in JhumanJ OpnForm up to 1.9.3. Impacted is an unknown function of the file /edit. Executing manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called b15e29021d326be127193a5dbbd528c4e37e6324. Applying a patch is advised to resolve this issue." } ], "id": "CVE-2025-11440", "lastModified": "2025-10-09T16:17:19.923", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary" } ], "cvssMetricV40": [ { "cvssData": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "source": "cna@vuldb.com", "type": "Secondary" } ] }, "published": "2025-10-08T07:15:32.843", "references": [ { "source": "cna@vuldb.com", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5" }, { "source": "cna@vuldb.com", "tags": [ "Patch" ], "url": "https://github.com/JhumanJ/OpnForm/pull/900/commits/b15e29021d326be127193a5dbbd528c4e37e6324" }, { "source": "cna@vuldb.com", "tags": [ "Permissions Required", "VDB Entry" ], "url": "https://vuldb.com/?ctiid.327377" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?id.327377" }, { "source": "cna@vuldb.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "https://vuldb.com/?submit.666881" }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.t78mmp24qqk5" } ], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-266" }, { "lang": "en", "value": "CWE-284" } ], "source": "cna@vuldb.com", "type": "Secondary" } ] }