Pimcore Security Vulnerability

Pimcore is Austria Pimcore company's set of open source for creating and managing Web applications Web content management platform. The platform integrates Web content management, e-commerce framework and product information management applications. A security vulnerability exists in Pimcore...

PT-2023-6588 · Sielco · Sielco Polyeco1000

Name of the Vulnerable Software and Affected Versions: Sielco PolyEco1000 affected versions not specified Description: The issue is related to inadequate access control in the Sielco PolyEco1000 digital fm-transmitter's software. An attacker can exploit this by modifying passwords in POST request...

GHSA-G9V2-WQCJ-J99G Uptime Kuma has Persistentent User Sessions

Summary Attackers with access to a users' device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods. Details uptime-kuma sets JWT tokens for users after successful authentication. These tokens have...

CVE-2023-44400

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the...

Session fixation

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the...

CVE-2023-44400 Uptime Kuma has Persistentent User Sessions

Uptime Kuma is a self-hosted monitoring tool. Prior to version 1.23.3, attackers with access to a user's device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity periods. Version 1.23.3 has a patch for the...

Synapse Security Breach

synapse is an application for open federated instant messaging and VoIP A security vulnerability exists in Synapse that stems from the temporary storage of plaintext passwords during password changes. Affected products and versions; Synapse versions prior to 1.66.0 through 1.93.0...

CVE-2023-41335 Temporary storage of plaintext passwords during password changes in matrix synapse

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as...

matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes

Impact When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be...

Car Rental Script 安全漏洞

Car Rental Script is an open source vehicle rental script by GZ Script. A security vulnerability exists in PHPJabbers Car Rental Script version 3.0, which stems from a lack of validation when changing e-mail addresses or passwords...

CVE-2023-36134

In PHP Jabbers Class Scheduling System 1.0, lack of verification when changing an email address and/or password on the Profile Page allows remote attackers to take over accounts...

Class Scheduling System Data Forgery Problem Vulnerability

Class Scheduling System is a class scheduling system by jkev Personal Developer. A security vulnerability exists in Class Scheduling System version 1.0, which stems from a lack of authentication when changing email addresses or passwords, allowing a remote attacker to take over an account...

CVE-2023-33563

In PHP Jabbers Time Slots Booking Calendar 3.3 , lack of verification when changing an email address and/or password on the Profile Page allows remote attackers to take over accounts...

CVE-2023-3459

The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hfupdatecustomer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated...

PT-2023-4170 · Taphome · Taphome

Name of the Vulnerable Software and Affected Versions: TapHome versions prior to 2023.2 Description: The issue is related to weaknesses in the authentication procedure of the TapHome system, allowing a remote attacker to bypass authentication and gain full access to the device. A hidden API in...

SolusVM-WHMCS-Module 安全漏洞

SolusVM-WHMCS-Module is a module. A security vulnerability exists in SolusVM-WHMCS-Module version 4.1.2 that originates from allowing an attacker to make unauthorized changes to passwords and hostnames of other client servers...

CVE-2023-3063

The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it...

SP Project & Document Manager < 4.68 - Subscriber+ Insecure Direct Object References

The plugin allows direct access to objects, allowing an authenticated user with subscriber privileges or above, to bypass authorization and change user passwords and potentially take over administrator accounts...

CVE-2023-20105

A vulnerability in the change password functionality of Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS could allow an authenticated, remote attacker with Read-only credentials to elevate privileges to Administrator on an affected system. This vulnerability is due to...

PT-2023-3035 · Cisco · Cisco Telepresence Video Communication Server +1

Name of the Vulnerable Software and Affected Versions: Cisco Expressway Series and Cisco TelePresence Video Communication Server VCS affected versions not specified Description: A vulnerability in the change password functionality could allow an authenticated, remote attacker with Read-only...