Lucene search
K

81 matches found

Snyk
Snyk
added 2026/07/06 8:53 p.m.5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the PUT /api/v2/users/user/password endpoint. An attacker can gain unauthorized access to owner-level accounts by resetting their passwords without knowing the current password, allowing privilege escalation a...

8.6CVSS6AI score0.00615EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 8:53 p.m.3 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the PUT /api/v2/users/user/password endpoint. An attacker can gain unauthorized access to owner-level accounts by resetting their passwords without knowing the current password, allowing privilege escalation a...

8.6CVSS6AI score0.00615EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.7 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score0.00615EPSS
Exploits0References16
Vulnrichment
Vulnrichment
added 2026/06/11 6:49 p.m.9 views

CVE-2026-47181 PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a...

8.7CVSS5.3AI score0.00251EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.10 views

CVE-2026-24468

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.5AI score0.00294EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/04 12:46 p.m.6 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS5.8AI score0.00217EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/04 12:46 p.m.31 views

CVE-2026-43926

FOSSBilling prior to 0.8.0 allows probing the password-reset flow because the non-API controller for /client/reset-password-confirm/:hash is not rate-limited like /api/* endpoints. The endpoint may reveal valid vs invalid tokens (200 vs 302), enabling unlimited token guessing until expiry. Token ...

6.3CVSS5.8AI score0.00217EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.10 views

FOSSBilling 安全漏洞

FOSSBilling is an open-source billing and customer management platform for hosting service providers and digital service providers. Versions of FOSSBilling prior to 0.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the password reset confirmation endpoint being...

6.3CVSS5.3AI score0.00217EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/03 12:0 a.m.17 views

EUVD-2026-34153

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network...

4.3CVSS5.9AI score0.00166EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 2:13 p.m.8 views

CVE-2026-35675

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...

8.8CVSS5.8AI score0.00324EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/20 3:45 p.m.12 views

Weak Password Recovery Mechanism for Forgotten Password

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the updatePassword function. An attacker can enumerate valid user accounts and forcibly chan...

8.8CVSS5.8AI score0.00241EPSS
Exploits0References2
NVD
NVD
added 2026/05/12 6:16 p.m.9 views

CVE-2026-31242

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...

9.1CVSS0.00489EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.10 views

PT-2026-40129

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...

6AI score0.00489EPSS
Exploits0References3
NVD
NVD
added 2026/04/20 4:16 p.m.4 views

CVE-2026-24468

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS0.00294EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/20 3:45 p.m.4 views

CVE-2026-24468

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.7AI score0.00294EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/04/20 3:45 p.m.3 views

EUVD-2026-23883

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.7AI score0.00294EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/20 3:45 p.m.32 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS0.00294EPSS
Exploits0References4
CVE
CVE
added 2026/04/20 3:45 p.m.12 views

CVE-2026-24468

OpenAEV versions prior to 2.0.13 expose an account-enumeration flaw via the /api/reset login parameter. If the email does not exist, the API returns 400 Bad Request; if the email exists, it returns 200. This observable response difference enables an attacker to reliably determine which emails are...

5.3CVSS5.7AI score0.00294EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.5 views

PT-2026-33788

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.7AI score0.00294EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/04/20 12:0 a.m.8 views

OpenAEV 安全漏洞

OpenAEV is an open-source personal planning platform under the OpenAEV Platform. Versions of OpenAEV from 1.11.0 to 2.0.13 contained security vulnerabilities. These vulnerabilities stemmed from differences in responses made by the/api/reset endpoint for valid and invalid usernames, which could...

5.3CVSS5.8AI score0.00294EPSS
Exploits0References1
Rows per page
Query Builder