CVE-2026-33297 AVideo has an IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

WWBN AVideo is an open source video platform. Prior to version 26.0, the setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numer...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

GHSA-6547-8HRG-C55M AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

CVE-2026-2081

A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/setpassword. This manipulation of the argument httppasswd causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclos...

📄 Casdoor 2.284.0 / 2.285.0 Cross Site Request Forgery

Casdoor versions 2.284.0 and 2.285.0 suffer a cross site request forgery vulnerability that was originally discovered in an earlier version but has not been addressed. Related CVE number: CVE-2023-34927. Exploit Title: Casdoor v2.284.0 2026-02-03 & v2.285.0 2026-02-03 - Cross-Site Request Forgery...

📄 Casdoor 2.283.0 Cross Site Request Forgery

Casdoor version 2.283.0 suffers from a cross site request forgery vulnerability. Related CVE number: CVE-2023-34927. Exploit Title: Casdoor v2.283.0 2026-02-02 - Cross-Site Request Forgery CSRF Application: Casdoor Version: v2.283.0 Date: 03/02/2026 Exploit Author: Van Lam Nguyen Facebook:...

📄 Casdoor 2.95.0 Cross Site Request Forgery

Casdoor version 2.55.0 suffers from a cross site request forgery vulnerability. Exploit Title: Casdoor 2.95.0 - Cross-Site Request Forgery CSRF Application: Casdoor Version: v2.95.0 2025-10-22 Date: 2025-10-23 Exploit Author: Van Lam Nguyen Vendor Homepage: https://casdoor.org/ Software Link:...

Casdoor 2.95.0 - Cross-Site Request Forgery (CSRF)

Exploit Title: Casdoor 2.95.0 - Cross-Site Request Forgery CSRF Application: Casdoor Version: v2.95.0 2025-10-22 Date: 2025-10-23 Exploit Author: Van Lam Nguyen Vendor Homepage: https://casdoor.org/ Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v2.95.0.zip Tested on: Windows...

PT-2023-28048 · Ruijie · Ruijie Rg-Ew1200G

Name of the Vulnerable Software and Affected Versions: Ruijie RG-EW1200G version 1.01B1P5 Description: A critical issue has been found in the Administrator Password Handler component, specifically affecting an unknown functionality of the file "/api/sys/set passwd". This leads to improper access...

CVE-2023-34927

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery CSRF in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL...