12 matches found
CVE-2026-47201
authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed...
CVE-2026-2450
.NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0...
CVE-2026-2450
CVE-2026-2450 concerns a .NET misconfiguration in upKeeper Solutions’ upKeeper Instant Privilege Access, enabling impersonation that hijacks a Privileged Thread of Execution. Affected product: upKeeper Instant Privilege Access up to version 1.5.0. The CVSS 4.0 vector indicates NETWORK attack vect...
GitLab 17.1 < 18.6.6 / 18.7 < 18.7.4 / 18.8 < 18.8.4 (CVE-2025-14560)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an...
CVE-2025-65031
CVE-2025-65031 affects Rallly versions prior to 4.5.4. A flaw in the comment creation endpoint allows an authenticated user to impersonate arbitrary users by altering the authorName field in the API request, potentially attributing comments to administrators or other privileged accounts and enabl...
CVE-2025-61220
The incomplete verification mechanism in the AutoBizLine com.mysecondline.app 1.2.91 allows attackers to log in as other users and gain unauthorized access to their personal information...
CVE-2024-22358
IBM UrbanCode Deploy UCD 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 28089...
PYSEC-2023-72
UNSUPPORTED WHEN ASSIGNED The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in...
CVE-2022-31164 Tovy before v0.7.51 vulnerable to users logging in as and impersonating other users
Tovy is a a staff management system for Roblox groups. A vulnerability in versions prior to 0.7.51 allows users to log in as other users, including privileged users such as the other of the instance. The problem has been patched in version 0.7.51...
Vulnerabilities fixed in Microsoft Dynamics
Microsoft has fixed vulnerabilities in Microsoft Dynamics. The vulnerabilities allow a malicious party to launch a Cross-Site Scripting attack and the malicious party can then impersonate then impersonate another user. Microsoft indicates That for the vulnerability with attribute CVE-2021-40457...
CVE-2017-16858
The 'crowd-application' plugin module notably used by the Google Apps plugin in Atlassian Crowd from version 1.5.0 before version 3.1.2 allowed an attacker to impersonate a Crowd user in REST requests by being able to authenticate to a directory bound to an application using the feature. Given th...
UBUNTU-CVE-2017-5604
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for mcabber 1.0.0 - 1.0.4...