19 matches found
CVE-2026-46407
Vvveb CMS contains an IDOR in the backend/admin/auth-token endpoint. An authenticated administrator can load another admin's REST API token list by supplying that user’s admin_id, leading to disclosure of sensitive tokens. The issue is fixed in version 1.0.8.3. No exploitation details are provide...
PT-2026-29537
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow...
CVE-2025-10484
The CVE-2025-10484 entry concerns the Registration & Login with Mobile Phone Number for WooCommerce plugin (WordPress). Affected versions: all up to and including 1.3.1, where authentication bypass is achieved via the fma_lwp_set_session_php_fun() path, allowing unauthenticated users to impersona...
Siemens SiPass Integrated 安全漏洞
Siemens SiPass Integrated is a powerful and extremely flexible access control system from Siemens, Germany. A security vulnerability exists in Siemens SiPass Integrated prior to version V3.0, which stems from a key for encrypting passwords that can be accessed by an administrator, potentially...
EUVD-2025-25257
Malicious code in bioql PyPI...
EUVD-2025-16711
Malicious code in bioql PyPI...
EUVD-2024-16481
Malicious code in bioql PyPI...
PT-2025-25181 · WordPress · Wp-Downloadmanager
Name of the Vulnerable Software and Affected Versions: WP-DownloadManager versions 1.68.10 and earlier Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to a lack of restriction on the directory from which a file can be deleted. This allows...
CVE-2025-24399
Jenkins OpenId Connect Authentication Plugin 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that...
CVE-2024-28288
Ruijie RG-NBR700GW 10.34b12 router lacks cookie verification when resetting the password, resulting in an administrator password reset vulnerability. An attacker can use this vulnerability to log in to the device and disrupt the business of the enterprise...
CVE-2024-47806
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a1de8 and earlier does not check the aud Audience claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins...
WordPress plugin WP-PManager 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
PT-2024-39463 · WordPress · Rank Math Seo
Name of the Vulnerable Software and Affected Versions: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress versions up to, and including, 1.0.228 Description: The issue is caused by a missing capability check on the update metadata function, allowing unauthenticated attacke...
PT-2024-30790 · WordPress · Social Connect
Name of the Vulnerable Software and Affected Versions: Social Connect plugin for WordPress versions up to, and including, 1.2 Description: The issue is due to insufficient verification on the OpenID server being supplied during the social login through the plugin. This makes it possible for...
CVE-2020-17477
Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory via LDAP search requests. For example, a teacher can gain...
PT-2023-27327 · Google · Google Api
Name of the Vulnerable Software and Affected Versions: Modern Events Calendar lite plugin for WordPress versions up to, but not including, 7.1.0 Description: The issue is related to Stored Cross-Site Scripting via Google API key and Calendar ID due to insufficient input sanitization and output...
PT-2021-11711 · Mautic · Mautic
Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 2.16.5 Mautic versions prior to 3.2.4 Description: A cross-site scripting XSS issue in the forms component allows remote attackers to inject executable JavaScript via mauticreturn. This could allow an attacker...
Netscape and iPlanet Enterprise Servers fail to sanitize log files before they are displayed using the administration client
Overview IPlanet Enterprise Server and Netscape Enterprise Server versions prior to 4.1. SP12 have a vulnerability involving the rendering of tags embedded in the web logs when viewed through the administration client. Description Requests made to web servers are routinely logged by the web serve...
dpec-course-passwds.txt
Date: Fri, 15 Jan 1999 21:45:24 -0700 From: Joel Knight To: [email protected] Subject: DPEC Online Courseware DPEC's www.dpec.com Online Courseware has a nasty bug in it that allows anyone to change anyone elses password without knowing what their current password is. This is NOT limited to...