3 matches found
EUVD-2026-38175
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other...
CVE-2018-7176
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php aka the "add user" feature of the User Permissions page...
Typesetter Cross-Site Request Forgery Vulnerability
Typesetter is a free CMS Content Management System. A cross-site request forgery vulnerability exists in the User Permissions page aka Admin/Users in Typesetter version 5.1, which stems from the lack of an anti-CSRF token. A remote attacker can exploit this vulnerability by sending a spoofed HTTP...