CVE-2021-47953

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...

CVE-2021-47953

OpenCart 3.0.3.7 is affected by a cross-site request forgery (CSRF) vulnerability in the account/password endpoint. An attacker can lure an authenticated user into submitting a hidden form with new password values (password and confirm), enabling account takeover. The vulnerability is documented ...

CVE-2026-7500

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-35476

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

PT-2026-31433

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

Plex media server 安全漏洞

Plex media server is a media player from Plex. A security vulnerability exists in Plex Media Server version 1.42.2.10156 and earlier, which stems from a permanent access token that can be retrieved via a transient access token call to /myplex/account, which could lead to an access token disclosur...

Code-Projects Simple Grading System 安全漏洞

Simple Grading System is a simple grading system. Simple Grading System suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered SQL statements in the parameter ID in the file /deleteaccount.php. An attacker can exploit this vulnerability to execute...

CVE-2025-43712

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLEUSER. By manipulating the authorities...

CVE-2024-7749

A vulnerability, which was classified as problematic, was found in SourceCodester Accounts Manager App 1.0. Affected is an unknown function of the file /endpoint/add-account.php. The manipulation of the argument accountname leads to cross site scripting. It is possible to launch the attack...

CodeAstro Hospital Management System 安全漏洞

CodeAstro Hospital Management System is a hospital management system from CodeAstro, Inc. A security vulnerability exists in CodeAstro Hospital Management System version 1.0, which originates from an unrestricted file upload issue contained in the docdpic parameter of the...

CVE-2024-7749

A vulnerability, which was classified as problematic, was found in SourceCodester Accounts Manager App 1.0. Affected is an unknown function of the file /endpoint/add-account.php. The manipulation of the argument accountname leads to cross site scripting. It is possible to launch the attack...

PT-2024-38556 · Sourcecodester · Sourcecodester Accounts Manager App

Name of the Vulnerable Software and Affected Versions: SourceCodester Accounts Manager App version 1.0 Description: A critical issue has been found in the processing of the file "/endpoint/delete-account.php". The manipulation of the account argument leads to SQL injection. The attack may be...

PT-2024-38557 · Sourcecodester · Sourcecodester Accounts Manager App

Name of the Vulnerable Software and Affected Versions: SourceCodester Accounts Manager App version 1.0 Description: A problematic issue was found in the SourceCodester Accounts Manager App, affecting an unknown function of the file /endpoint/add-account.php. The manipulation of the account name...

SourceCodester Accounts Manager App SQL注入漏洞

SourceCodester Accounts Manager App is a web-based application from SourceCodester, Inc. It is designed to manage online accounts efficiently and securely. A SQL injection vulnerability exists in SourceCodester Accounts Manager App version 1.0, which stems from the parameter account in the file...

wallabag 安全漏洞

wallabag is a web application that allows you to save web pages for later reading. A cross-site request forgery vulnerability exists in wallabag version 2.5.2. An attacker can exploit this vulnerability to arbitrarily delete user accounts via the /account/delete endpoint...

PT-2022-23550 · Unknown · Simple Task Scheduling System

Name of the Vulnerable Software and Affected Versions: Simple Task Scheduling System version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the id parameter at the "/classes/Master.php?f=delete account" API endpoint. Recommendations...