CVE-2023-53735

CVE-2023-53735 relates to WEBIGniter 28.7.23, with a cross-site scripting (XSS) vulnerability in the user-creation process. The flaw allows unauthenticated attackers to inject and execute malicious JavaScript, as described across multiple sources in the connected documents. The provided materials...

Grav elevation of privilege vulnerability (CNVD-2025-30354)

Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav suffers from an elevation of privilege vulnerability, which can be exploited to cause an elevation of privilege due to a lack of user name uniqueness...

EUVD-2010-3696

Malware in sbrugna...

EUVD-2025-4154

Malicious code in bioql PyPI...

CVE-2025-6775

The CVE-2025-6775 entry concerns xiaoyunjie openvpn-cms-flask (versions

CVE-2024-6428

Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2, 9.5.x = 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken...

CVE-2023-29922

PowerJob V4.3.1 is vulnerable to Incorrect Access Control via the create user/save interface...

CVE-2020-5231

In Opencast before 7.6 and 8.1, users with the role ROLECOURSEADMIN can use the user-utils endpoint to create new users not including the role ROLEADMIN. ROLECOURSEADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code except for tests but only i...

Exploit for CVE-2025-2825

It is an exploit module/toolkit targeting CrushedFTP. The tool,...

GHSA-6JWP-4WVJ-6597 Apache Pinot Vulnerable to Authentication Bypass

Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d...

CVE-2025-26375

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated low-privileged attacker to create users with arbitrary privileges via crafted HTTP requests...

CVE-2025-26375

A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated low-privileged attacker to create users with arbitrary privileges via crafted HTTP requests...

CVE-2024-0795

If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an admin role and then be able to use this new account to have elevated privileges on the instance...

CVE-2024-57522

SourceCodester Packers and Movers Management System v1.0 is vulnerable to Cross Site Scripting XSS in Users.php. An attacker can inject a malicious script into the username or name field during user creation...

CVE-2024-57522

SourceCodester Packers and Movers Management System v1.0 is vulnerable to Cross Site Scripting XSS in Users.php. An attacker can inject a malicious script into the username or name field during user creation...

Admin Able to Create User Without Setting a Password

Description The application allows an admin to create a new user account without assigning a password. This could lead to security vulnerabilities, or the system might inadvertently create an account with a default or blank password, making it susceptible to unauthorized access. Proof of Concept ...

CVE-2023-38102

NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit...

CodeAstro Simple Banking System Cross-Site Scripting Vulnerability

Simple Banking System is a simple project about online banking. A cross-site scripting vulnerability exists in CodeAstro Simple Banking System version 1.0, which originates from a cross-site scripting vulnerability due to an unknown function in createuser.php in the component Create a User Page...

JetBrains TeamCity 跨站脚本漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides features such as continuous unit testing, code quality analysis and build issue analysis reports. A security vulnerability exists in JetBrains TeamCity...

PT-2022-11976 · Crushftp · Crushftp

Name of the Vulnerable Software and Affected Versions: CrushFTP version 9 Description: An issue was discovered in the creation of a new user through the "/WebInterface/UserManager/" interface, allowing an attacker with access to the administration panel to perform Stored Cross-Site Scripting XSS...