Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page

Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of user group names on the user permissions page. An attacker can execute arbitrary JavaScript code in the context of another user's browser...

GHSA-2H2M-V2MG-656C Craft Commerce has Stored XSS in Product Type Name

Summary Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input source is in Commerce Product Type settings, but the sink is in CMS user permissions settings. Reporting to Commerce GHSA since the input originates here. Users a...

PT-2026-5745

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 Description A Stored Cross-Site Scripting XSS issue exists in Craft Commerce through Product Type names. The product type name is not properly sanitiz...

EUVD-2012-5399

Malware in sbrugna...

CVE-2024-10477

A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /adminpermissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The explo...

CVE-2021-29026

A cross-site scripting XSS vulnerability in Bitweaver version 3.1.0 allows remote attackers to inject JavaScript via the /users/admin/permissions.php URI...

CVE-2019-13370

index.php/admin/permissions in Ignited CMS through 2017-02-19 allows CSRF to add an administrator...

CVE-2018-7176

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php aka the "add user" feature of the User Permissions page...

Typesetter Cross-Site Request Forgery Vulnerability

Typesetter is a free CMS Content Management System. A cross-site request forgery vulnerability exists in the User Permissions page aka Admin/Users in Typesetter version 5.1, which stems from the lack of an anti-CSRF token. A remote attacker can exploit this vulnerability by sending a spoofed HTTP...

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...

CVE-2012-5481

Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page...

Security feature bypass

Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page...

CVE-2012-5481

Summary: CVE-2012-5481 affects Moodle 2.3.x before 2.3.3. An authenticated remote user can bypass the moodle/role:manage capability on the Check Permissions page and read all capability data, causing information disclosure. Affected product/versions: Moodle 2.3.x prior to 2.3.3. Root cause (as re...