Lucene search
+L

264 matches found

Github Security Blog
Github Security Blog
added 2026/03/11 2:54 p.m.9 views

Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Description A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group membership...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/11 12:37 a.m.11 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management due to insufficient authorization enforcement when modifying user group memberships. An attacker can gain higher-level privileges by assigning highly privileged roles without proper validation of their own...

8.6CVSS5.8AI score0.00257EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/10 9:53 p.m.30 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS0.00257EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 9:53 p.m.3 views

CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/03 9:53 p.m.7 views

CVE-2026-27012 Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling...

9.8CVSS6AI score0.00537EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/03 9:53 p.m.5 views

CVE-2026-27012

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling...

9.8CVSS6AI score0.00537EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/03 9:53 p.m.7 views

EUVD-2026-9334

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling...

9.8CVSS6AI score0.00537EPSS
Exploits1References1
OSV
OSV
added 2026/03/03 9:53 p.m.4 views

CVE-2026-27012 Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling...

9.8CVSS5.8AI score0.00537EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/03 5:43 p.m.12 views

OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php

Summary A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling modules/utenti/actions.php. This can promote an existing account e.g. agent into the Amministratori group as well as demot...

9.8CVSS6AI score0.00537EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/03 12:0 a.m.8 views

OpenSTAManager 访问控制错误漏洞

OpenSTAManager is an open-source management software for technical assistance and billing developed by Devcode. Versions of OpenSTAManager 2.9.8 and earlier contained a security vulnerability related to access control. This vulnerability stemmed from issues in modules/utenti/actions.php, which...

9.8CVSS5.8AI score0.00537EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.7 views

CVE-2026-28557

wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforosynchroles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then rema...

7.1CVSS6AI score0.00274EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/28 12:0 a.m.11 views

PT-2026-22478

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description An issue exists in wpForo Forum that allows authenticated users to perform bulk wpForo usergroup reassignment. This is possible due to a missing capability check in the wpforo synch roles AJAX handler. A...

7.1CVSS6AI score0.00274EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/02/28 12:0 a.m.8 views

WordPress plugin wpForo Forum 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

7.1CVSS5.8AI score0.00274EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.8 views

PT-2026-3873

Name of the Vulnerable Software and Affected Versions Flux Operator versions 0.36.0 through 0.39.9 Description The Flux Operator, a Kubernetes CRD controller, contains a flaw in its Web UI authentication code. This issue allows an attacker to bypass Kubernetes RBAC impersonation and execute API...

5.3CVSS5.5AI score0.00303EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/01/09 10:53 a.m.8 views

CVE-2022-33140

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the...

8.8CVSS7.4AI score0.03674EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/18 9:34 p.m.16 views

CVE-2025-67493

Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap...

9CVSS7.2AI score0.00268EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/31 12:13 a.m.5 views

CVE-2025-61118

mCarFix Motorists App version 2.3 package name com.skytop.mcarfix, developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data...

7.5CVSS7.1AI score0.00286EPSS
Exploits0References1
NVD
NVD
added 2025/10/30 4:15 p.m.5 views

CVE-2025-61118

mCarFix Motorists App version 2.3 package name com.skytop.mcarfix, developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data...

7.5CVSS0.00286EPSS
Exploits0References1
CVE
CVE
added 2025/10/13 7:32 a.m.16 views

CVE-2025-11672

CVE-2025-11672 concerns Uniweb/SoliPACS WebServer by EBM Technologies with a Missing Authentication vulnerability that allows unauthenticated remote access to a page exposing user group names. Affected component: web server software; root cause described as missing authentication/authorization on...

6.9CVSS6.7AI score0.00342EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/10/13 12:0 a.m.5 views

EBM Uniweb/SoliPACS WebServer 访问控制错误漏洞

EBM Uniweb/SoliPACS WebServer is a medical image archiving and communication system from Enterprise Business Machine EBM, Inc. of Taiwan, China. An access control error vulnerability exists in the EBM Uniweb/SoliPACS WebServer that stems from a lack of authentication and could allow an...

6.9CVSS6.9AI score0.00342EPSS
Exploits0References2
Rows per page
Query Builder