39 matches found
my-springsecurity-plus SQL Injection Vulnerability
my-springsecurity-plus is an RBAC backend privilege management system based on SpringBoot and SpringSecurity by codermy individual developer. A SQL injection vulnerability exists in my-springsecurity-plus prior to version 2024.07.03, which stems from an unknown function in file/api/role, where...
my-springsecurity-plus Security Vulnerabilities
my-springsecurity-plus is a SpringBoot and SpringSecurity based RBAC backend privilege management system by codermy individual developer. A security vulnerability exists in my-springsecurity-plus prior to 2024.07.03, which stems from some unknown functionality in file/api/dept, where manipulation...
my-springsecurity-plus Security Vulnerabilities
my-springsecurity-plus is an RBAC backend privilege management system based on SpringBoot and SpringSecurity by codermy personal developer. A security vulnerability exists in my-springsecurity-plus prior to version 2024.07.03, which stems from an SQL injection due to manipulation of...
PT-2024-37797 · Unknown · Witmy My-Springsecurity-Plus
Name of the Vulnerable Software and Affected Versions: witmy my-springsecurity-plus up to 2024-07-04 Description: A critical issue has been found, affecting some unknown functionality of the file /api/dept. The manipulation of the argument params.dataScope leads to SQL injection. The attack may b...
DingFlow 安全漏洞
DingFlow is DingFlow open source is committed to helping small and medium-sized intelligent office system. DingFlow v.2.0.0 version of a security vulnerability , the vulnerability stems from the system/role/list interface of the dataScope parameter SQL injection vulnerability...
CVE-2022-48341
ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes parameter...
LuckyFrame SQL注入漏洞
LuckyFrame is a free and open source testing platform. A security vulnerability exists in LuckyFrame v3.5, which originates from a SQL injection vulnerability in the dataScope parameter in /system/RoleMapper.xml...
VulnCheck KEV: CVE-2018-11511
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'albumid' or 'scope' parameter via a photo-gallery/api/album/treelists/ URI...
pixiv: Open Redirect at https://oauth.secure.pixiv.net
Summary: Hello @pixiv security team, i hope you are well, i noticed you can redirect users to another domain if you send an invalided scope. Vulnerable Url...
CVE-2018-11511
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'albumid' or 'scope' parameter via a photo-gallery/api/album/treelists/ URI...
RCE with spring-security-oauth2 分析(CVE-2018-1260)
漏洞公告 环境搭建 利用github上已有的demo: git clone https://github.com/wanghongfei/spring-security-oauth2-example.git 确保导入的spring-security-oauth2为受影响版本,以这里为例为2.0.10 进入spring-security-oauth2-example,修改 cn/com/sina/alan/oauth/config/OAuthSecurityConfig.java的第67行: @Override public void...
CVE-2017-1500
A Reflected Cross Site Scripting XSS vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parameter is "scope"; if you set as its value a "realm" not defined in authenticationConfig.xml, you get a...
Unauthorised Modification Of Permission Scope
spring-security-oauth2 is vulnerable to unauthorised modification of scope. A malicious user can submit a scope parameter during token request, which will be accepted by the server. This allows the malicious user to gain a wider scope of permissions when they authenticate...
CVE-2013-1407
Multiple cross-site scripting XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 scope parameter to index.php; 2 username, 3 dbemphone, 4 useremail, or 5...
CVE-2011-5114
Multiple cross-site scripting XSS vulnerabilities in the Authoritative DNS - DNS Zones page in Barracuda Link Balancer 330 Firmware 1.3.2.005 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 zoneid or 2 scope parameter...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in the Authoritative DNS - DNS Zones page in Barracuda Link Balancer 330 Firmware 1.3.2.005 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 zoneid or 2 scope parameter...
DEBIAN-CVE-2006-2016
Multiple cross-site scripting XSS vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 dn parameter in a compareform.php, b copyform.php, c renameform.php, d templateengine.php, and e deleteform.php; 2 scope parameter in f...
CVE-2006-2016
Multiple cross-site scripting XSS vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 dn parameter in a compareform.php, b copyform.php, c renameform.php, d templateengine.php, and e deleteform.php; 2 scope parameter in f...
CVE-2006-2016
Multiple cross-site scripting XSS vulnerabilities in phpLDAPadmin 0.9.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 dn parameter in a compareform.php, b copyform.php, c renameform.php, d templateengine.php, and e deleteform.php; 2 scope parameter in f...