Erudika Scoold vulnerabilities
6 known vulnerabilities affecting erudika/scoold.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
HIGH1MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2024-50334P1MEDIUMCVSS 5.3ExploitedPoC≤ 1.64.0fixed in 1.64.02024-10-29
CVE-2024-50334 [MEDIUM] CWE-288 CVE-2024-50334: Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Co
nvd
CVE-2022-1543P3HIGHCVSS 8.8fixed in 1.49.42022-04-29
CVE-2022-1543 [HIGH] CWE-130 CVE-2022-1543: Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.
nvd
CVE-2026-42176P3MEDIUMCVSS 6.7fixed in 1.67.02026-05-08
CVE-2026-42176 [MEDIUM] CWE-306 CVE-2026-42176: Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows t
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The
nvd
CVE-2026-34832P3MEDIUMCVSS 6.5fixed in 1.66.12026-04-02
CVE-2026-34832 [MEDIUM] CWE-639 CVE-2026-34832: Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce
nvd
CVE-2026-39354P3MEDIUMCVSS 6.5fixed in 1.66.22026-04-07
CVE-2026-39354 [MEDIUM] CWE-639 CVE-2026-39354: Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated author
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question UR
nvd
CVE-2021-46372P4MEDIUMCVSS 5.4v1.47.22022-02-18
CVE-2021-46372 [MEDIUM] CWE-79 CVE-2021-46372: Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown edi
Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. When writing a Q&A, the markdown editor is vulnerable to a XSS attack when using uppercase letters.
nvd