Lucene search
+L

59 matches found

cvelist
cvelist
added 2026/07/09 12:29 p.m.30 views

CVE-2026-12593 Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem

The implementation of an internal and undocumented Dashboard API endpoint POST /api/users//user/tokens forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user with more...

8.7CVSS0.00281EPSS
Exploits0References1
cve
cve
added 2026/07/09 12:29 p.m.13 views

CVE-2026-12593

The CVE concerns Axivion Dashboard’s OIDC/OAuth2/SSO subsystem. An internal, undocumented API endpoint (POST /api/users/~/{user}/tokens) did not enforce sufficient permissions when creating an API token for another user. Preconditions include an internal user with higher privileges, knowledge of ...

8.7CVSS6.4AI score0.00281EPSS
Exploits0References1
euvd
euvd
added 2026/07/09 12:29 p.m.7 views

EUVD-2026-42589

The implementation of an internal and undocumented Dashboard API endpoint POST /api/users//user/tokens forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user with more...

8.7CVSS6.4AI score0.00281EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:10 p.m.10 views

CVE-2026-35478

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

8.3CVSS5.5AI score0.00303EPSS
Exploits0References1
githubexploit
githubexploit
added 2026/05/18 6:11 p.m.99 views

Exploit for Authentication Bypass Using an Alternate Path or Channel in Jetbrains Teamcity

CVE-2024-27198 Lab Description TeamCity provides an admin-...

9.8CVSS6.3AI score0.99938EPSS
Exploits24
github
github
added 2026/05/08 5:24 p.m.14 views

ExternalSecrets vulnerable to privilege escalation with secret overwriting

ExternalSecrets allows users to craft Service Account tokens for misconfigured Service Accounts in namespaces the users have access to. Impact A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate wi...

4.9CVSS5.8AI score0.00214EPSS
Exploits0References5Affected Software1
cvelist
cvelist
added 2026/04/08 7:24 p.m.23 views

CVE-2026-35478 InvenTree has Arbitrary API Token Creation

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

8.3CVSS0.00303EPSS
Exploits0References1
cve
cve
added 2026/04/08 7:24 p.m.18 views

CVE-2026-35478

CVE-2026-35478 affects InvenTree Open Source Inventory Management System (versions 0.16.0 through before 1.2.7). The issue allows any authenticated InvenTree user to create a valid API token for any other user (including admins) by supplying the target user’s ID in the POST /api/user/tokens/ requ...

8.3CVSS6AI score0.00303EPSS
Exploits0References1Affected Software1
vulnrichment
vulnrichment
added 2026/04/08 7:24 p.m.4 views

CVE-2026-35478 InvenTree has Arbitrary API Token Creation

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

8.3CVSS6AI score0.00303EPSS
Exploits0References1
osv
osv
added 2026/04/08 7:24 p.m.4 views

CVE-2026-35478 InvenTree has Arbitrary API Token Creation

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

8.3CVSS6AI score0.00303EPSS
Exploits0References3
nvd
nvd
added 2026/03/10 6:18 p.m.5 views

CVE-2026-30944

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS0.00564EPSS
Exploits3References3
github
github
added 2026/03/10 6:16 p.m.9 views

StudioCMS has Privilege Escalation via Insecure API Token Generation

Summary The /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target us...

8.8CVSS5.9AI score0.00564EPSS
Exploits3References7Affected Software1
vulnrichment
vulnrichment
added 2026/03/10 4:48 p.m.1 views

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References3
attackerkb
attackerkb
added 2026/03/10 4:48 p.m.4 views

CVE-2026-30944

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References4Affected Software1
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.12 views

PT-2026-24252

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms api/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails t...

8.8CVSS5.8AI score0.00564EPSS
Exploits3References3
nvd
nvd
added 2025/12/19 9:15 p.m.6 views

CVE-2023-53958

LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account...

8.6CVSS0.00349EPSS
Exploits0References3
redhatcve
redhatcve
added 2025/10/24 6:38 p.m.6 views

CVE-2025-10937

Oxford Nanopore Technologies' MinKNOW software at or prior to version 24.11 creates a temporary file to store the local authentication token during startup, before copying it to its final location. This temporary file is created in a directory accessible to all users on the system. An unauthorize...

6.8CVSS7AI score0.00156EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/10/07 3:22 p.m.4 views

CVE-2025-49594

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows...

9.2CVSS7AI score0.00536EPSS
Exploits0References1
euvd
euvd
added 2025/10/07 12:30 a.m.24 views

EUVD-2020-29878

Malware in sbrugna...

7.1CVSS5.6AI score0.00527EPSS
Exploits0References4
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-9623

Malware in sbrugna...

7.5CVSS7.6AI score0.01321EPSS
Exploits1References3
Rows per page
Query Builder