10 matches found
CVE-2026-41660
Admidio prior to version 5.0.9 contains an inverted authorization check in two_factor_authentication.php that allows non-admin group leaders with profile edit rights on an admin account to strip that admin’s 2FA, compromising admin accounts. The issue is fixed in 5.0.9; upgrade to 5.0.9+ to mitig...
CVE-2026-41660 Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP
Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...
Admidio has Inverted 2FA Reset Authorization Check that Lets Group Leaders Strip Admin TOTP
Summary A logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip th...
CVE-2024-8349
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group...
WordPress plugin Uncanny Groups for LearnDash 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...
PT-2024-38964 · WordPress · Uncanny Groups For Learndash
Name of the Vulnerable Software and Affected Versions: The Uncanny Groups for LearnDash plugin for WordPress versions up to, and including, 6.1.0.1 Description: The issue arises from the plugin's failure to properly restrict what users a group leader can edit. This allows authenticated attackers...
CVE-2021-25989 ifme - Stored Cross-Site Scripting (XSS) in Groups section
In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability in the markdown editor. It can be exploited by making a victim a Leader of a group which triggers the payload for them...
CVE-2015-2786
Unspecified vulnerability in MyBB aka MyBulletinBoard before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."...
Design/Logic Flaw
Unspecified vulnerability in MyBB aka MyBulletinBoard before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."...
CVE-2015-2786
Unspecified vulnerability in MyBB aka MyBulletinBoard before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."...