35 matches found
Zoom Workplace VDI Client < 7.0.10 Vulnerability (ZSB-26014)
The version of Zoom Workplace VDI Client installed on the remote host is prior to 7.0.10. It is, therefore, affected by a vulnerability as referenced in the ZSB-26014 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...
WordPress Booked plugin <= 3.0.0 - Account Takeover vulnerability
Account Takeover vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Booked versions = 3.0.0...
EUVD-2020-18250
Malware in sbrugna...
EUVD-2022-0038
Malicious code in bioql PyPI...
EUVD-2021-8784
Malicious code in bioql PyPI...
EUVD-2022-5372
Malicious code in bioql PyPI...
Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover
Exploit Title: Stacks Mobile App Builder 5.2.3 - Authentication Bypass via Account Takeover Date: October 25, 2024 Exploit Author: stealthcopter Vendor Homepage: https://stacksmarket.co/ Software Link: https://wordpress.org/plugins/stacks-mobile-app-builder/ Version: = 5.2.3 Tested on: Ubuntu...
CVE-2025-53373
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b...
CVE-2025-53373
Natours (Tour Booking API) has a Host header injection vulnerability in the /forgetpassword endpoint that lets an attacker take over a victim's account by supplying an attacker-controlled server domain. The issue is mitigated by the fix in commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b. Affected...
CVE-2025-4797 Golo <= 1.7.0 - Authentication Bypass to Account Takeover
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it...
GO-2025-3721 ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel
ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...
CVE-2021-29487
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated...
CVE-2020-9384
An Insecure Direct Object Reference IDOR vulnerability in the Change Password feature of Subex ROC Partner Settlement 10.5 allows remote authenticated users to achieve account takeover via manipulation of POST parameters. NOTE: This vulnerability may only affect a testing version of the applicati...
CVE-2020-10074
GitLab 10.1 through 12.8.1 has Incorrect Access Control. A scenario was discovered in which a GitLab account could be taken over through an expired link...
CVE-2019-14481
AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery CSRF vulnerability in the NetCrunch web client. Successful exploitation requires a logged-in user to open a malicious page and leads to account takeover...
CVE-2025-48070 Plane has insecure permissions in UserSerializer
Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site...
CVE-2025-47945
Donetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens JWT for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate...
CVE-2025-32390 EspoCRM vulnerable to HTML Injection into phishing, which may lead to account takeover
EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base KB articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and...
hostinger : 1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com
The vulnerability discovered in the marketing.hostinger.com subdomain allowed for one-click account takeover through the theft of authentication tokens. An attacker could exploit the whitelisted redirect functionality of the subdomain to steal a victim's authentication token, which could then be...
CVE-2025-1724
Zohocorp's ManageEngine Analytics Plus and Zoho Analytics on-premise versions older than 6130 are vulnerable to an AD only account takeover because of a hardcoded sensitive token...