Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in tildeclub/site

✍️ Description The file signup-handler.php creates a user by accepting input from request parameters username, email, interest, sshkey. The affected parameter is sshkey. It does not sanitizes special characters and only checks if the first 4 character of the input is ssh- which allows the signup...

parse-server new anonymous user session acts as if it's created with password

Impact Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in Session class under createdWith shows the user logged in creating...

CVE-2021-39138

Parse Server prior to v4.5.1 incorrectly classifies anonymous sessions as password-created when first signing up via REST, due to the createdWith value in _Session. This affects only developers who rely on createdWith for access control; the vulnerability is fixed in 4.5.1. The recommended workar...

BuddyPress < 9.1.1 - Activation Key Disclosure

The plugin disclosed the activation key from responses of the createitem method in the BP REST API Signup controller...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

💥 BUG Stored xss via signup page 💥 VERSION TESTED latest version as of 4/7/21 💥 IMPACT xss allow to execute arbitary javascript in vicitm account 💥 STEP TO REPRODUCE 1. goto http://localhost/online-rental/app/admin/pageSettings.php and click on Sign Up tab . Here allow signup.\ now put bellow xss...

CVE-2020-29205

XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field...

CVE-2020-29205

XSS in signup form in Project Worlds Online Examination System 1.0 allows remote attacker to inject arbitrary code via the name field...

CVE-2020-29205

CVE-2020-29205 affects SourceCodester Worlds Online Examination System 1.0. An XSS vulnerability exists in the signup form where an attacker can inject arbitrary code via the name field. Root cause appears to be insufficient input sanitization in the signup logic. Impact is described as cross-sit...

CVE-2021-30214

Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter...

CVE-2021-30211

Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting XSS. An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter...

CVE-2021-30214

Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter...

Knowage 注入漏洞

Knowage is an open source suite for modern business analytics on traditional resources and big data systems from Knowage Italy. A security vulnerability exists in Knowage Suite version 7.3. The vulnerability stems from the program's tendency to store client templates in...

UPchieve: Hyper Link Injection while signup

Summary: Attacker can add their name to a URL in order to send email containing malicious hyperlinks. while signup Steps To Reproduce: 1-Go to https://app.upchieve.org and create account with the first name http://attacker.com/ and last name . 2-Now check your email and you notice there is...

Glovo: Server Side Template Injection on Name parameter during Sign Up process

Summary: Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. In this scenario, when an attacker signs up on the platform and uses a payload in the First Name field, the payload ...

CVE-2020-21180

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page...

Sql injection

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page...

CVE-2020-21180

CVE-2020-21180 affects koa2-blog 1.0.0. It is a SQL injection vulnerability that enables remote attackers to inject SQL statements via the name parameter on the signup page. NVD lists CVSS v3.1 base score 9.8 (CRITICAL; NETWORK, LOW interaction, no privileges) and CVSS v2 base score 7.5 (HIGH). N...

CVE-2020-21180

Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page...

CVE-2020-29159

An issue was discovered in Zammad before 3.5.1. The default signup Role for newly created Users can be a privileged Role, if configured by an admin. This behvaior was unintended...

Design/Logic Flaw

An issue was discovered in Zammad before 3.5.1. The default signup Role for newly created Users can be a privileged Role, if configured by an admin. This behvaior was unintended...