21 matches found
CVE-2026-35220
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
BIT-JOOMLA-2026-35220 Joomla! Core - [20260505] - CSRF in user activation endpoint
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
CVE-2026-35220 Joomla! Core - [20260505] - CSRF in user activation endpoint
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
CVE-2026-35220
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
EUVD-2026-31889
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
CVE-2026-35220 Joomla! Core - [20260505] - CSRF in user activation endpoint
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of comusers...
PT-2026-43291
Name of the Vulnerable Software and Affected Versions com users affected versions not specified Description Lack of Cross-Site Request Forgery CSRF token validation—a mechanism used to prevent unauthorized commands from being transmitted from a user the web application trusts—leads to a CSRF atta...
CVE-2026-27659
Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...
CVE-2026-29069
Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...
CVE-2019-25405
Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. Attackers can send POST requests to the license activation endpoint with script payloads in the newLicense fie...
CVE-2019-25405
Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. Attackers can send POST requests to the license activation endpoint with script payloads in the newLicense fie...
Comodo Dome Firewall 跨站脚本漏洞
Comodo Dome Firewall is a unified threat management and next-generation firewall provided by the Chinese company Comodo. Version 2.7.0 of Comodo Dome Firewall contains a cross-site scripting vulnerability. This vulnerability stems from insufficient input validation of the newLicense parameter at...
CVE-2022-4985
Vodafone H500s devices running firmware v3.5.10 hardware model Sercomm VFH500 expose the WiFi access point password via an unauthenticated HTTP endpoint. By sending a crafted GET request to /data/activation.json with specific headers and cookies, a remote attacker can retrieve a JSON document tha...
CVE-2022-4985
CVE-2022-4985 affects Vodafone H500s routers with firmware v3.5.10 (Sercomm VFH500). An unauthenticated HTTP GET to /data/activation.json with crafted headers/cookies discloses a JSON payload containing wifi_password, enabling remote attackers to obtain Wi‑Fi credentials and gain unauthorized net...
PT-2025-47023
Name of the Vulnerable Software and Affected Versions Vodafone H500s devices version 3.5.10 Description Vodafone H500s devices running firmware version 3.5.10 hardware model Sercomm VFH500 have an issue where the WiFi access point password is exposed through an unauthenticated HTTP endpoint. An...
CVE-2025-62516
...
CVE-2025-7664
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the checkactivatepermission permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied...
CVE-2025-7664 Al Pack <= 1.1.1 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the checkactivatepermission permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied...
CVE-2025-7664 Al Pack <= 1.1.1 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the checkactivatepermission permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied...
CVE-2024-25723
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/usernameorid/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched...