Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Galette Subscribe
Filtered by product Galette
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41260 1 Galette 1 Galette 2021-12-21 6.8 MEDIUM 8.8 HIGH
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue.
CVE-2021-41262 1 Galette 1 Galette 2021-12-21 6.5 MEDIUM 8.8 HIGH
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There are no known workarounds.
CVE-2021-41261 1 Galette 1 Galette 2021-12-21 3.5 LOW 4.8 MEDIUM
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to stored cross site scripting attacks via the preferences footer. The preference footer can only be altered by a site admin. This issue has been resolved in the 0.9.6 release and all users are advised to upgrade. There are no known workarounds.
CVE-2021-21319 1 Galette 1 Galette 2021-10-27 3.5 LOW 5.4 MEDIUM
Galette is a membership management web application geared towards non profit organizations. In versions prior to 0.9.5, malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state). Malicious javascript code can be executed (not stored) on login and retrieve password pages. This issue is patched in version 0.9.5.