CVE-2025-55366

Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack...

CVE-2025-55135

In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG...

PT-2025-32269 · Unknown · Agora Foundation

Name of the Vulnerable Software and Affected Versions: Agora Foundation Agora fall23-Alpha1 versions prior to 690ce56 Description: The application permits file formats other than PNG, JPEG, and WEBP for profile pictures, including SVG. This allows for cross-site scripting XSS via a crafted profil...

CVE-2024-55471

Oqtane Framework is vulnerable to Insecure Direct Object Reference IDOR in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipulating the id parameter...

CVE-2020-9456

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users with minimal privileges to elevate their privileges to administrator via classrmusercontroller.php rmuseredit...

CVE-2019-1010191

marginalia 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector...

CVE-2018-11126

dg-user/?controller=users=add in doorGets 7.0 has CSRF that results in adding an administrator account...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /agency/AgencyUserController.java component. An attacker can manipulate the state of the application on behalf of users by sending a crafted request that the end user's browser processes...

CVE-2025-25770

Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery CSRF via the component /agency/AgencyUserController.java...

wangmarket 安全漏洞

wangmarket is a privatized deployment of your own SAAS cloud builder system for xnx3 individual developers in China. A security vulnerability exists in wangmarket versions v4.10 through v5.0, which originates from a cross-site request forgery vulnerability contained in the...

MRCMS 安全漏洞

MRCMS is a content management system by marker personal developer. A security vulnerability exists in MRCMS version v3.1.2, which stems from the /controller/UserController.java module containing an elevation of privilege vulnerability...

PT-2025-7573 · Mrcms · Mrcms

Name of the Vulnerable Software and Affected Versions: MRCMS version 3.1.2 Description: A vertical privilege escalation issue in the /controller/UserController.java component allows attackers to delete users arbitrarily via a crafted request. Recommendations: For MRCMS version 3.1.2, consider...

PT-2025-2055 · Unknown · Donglight Bookstore电商书城系统说明

Name of the Vulnerable Software and Affected Versions: donglight bookstore电商书城系统说明 version 1.0.0 Description: A vulnerability was found in the updateUser function of the file src/main/Java/org/zdd/bookstore/web/controller/admin/AdminUserControlle.java. The manipulation leads to cross site...

bookstore 代码注入漏洞

bookstore is an e-commerce bookstore system by donglight individual developer. A code injection vulnerability exists in bookstore version 1.0.0, which originates from the updateUser function in the file src/main/Java/org/zdd/bookstore/web/controller/admin/AdminUserControlle.java, which can lead t...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the id parameter in Oqtane.Controllers.UserController. Remediation Upgrade Oqtane.Framework to version 6.0.1 or higher. References - GitHub Commit - GitHub PR - Medium Blog Credit:...

CVE-2024-55471

Oqtane Framework is vulnerable to Insecure Direct Object Reference IDOR in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipulating the id parameter...

CVE-2024-55471

Summary: CVE-2024-55471 affects Oqtane Framework via Insecure Direct Object Reference in Oqtane.Controllers.UserController, enabling unauthorized access to other users’ data by tampering the id parameter. Affected information includes guidance across multiple sources; remediation is to upgrade to...

PT-2024-36526 · Unknown · Oqtane Framework

Name of the Vulnerable Software and Affected Versions: Oqtane Framework affected versions not specified Description: The issue is related to Insecure Direct Object Reference IDOR in Oqtane.Controllers.UserController, allowing unauthorized users to access sensitive information of other users by...

CVE-2024-46607

Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file...

CVE-2024-47210

Gladys Assistant before 4.45.1 allows Privilege Escalation a user changing their own role because req.body.role can be used in updateMySelf in server/api/controllers/user.controller.js...