260 matches found
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
Summary The categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is entirely skipped, exposing all non-private categories including those restrict...
CVE-2026-34364
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...
CVE-2026-34364
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...
CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...
CVE-2026-34364
CVE-2026-34364 (WWBN AVideo) affects the category listing API implemented in the categories.json.php endpoint. In versions up to and including 26.0, category access control is not enforced when no ?user= parameter is provided, causing all non-private categories (including those restricted to spec...
CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is...
CVE-2021-27948
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. issue 3 of 3...
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
CVE-2026-33501 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
CVE-2026-33501 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the list.json.php endpoint in the Permissions plugin. An attacker can retrieve the complete mapping of user groups to plugin permissions,...
GHSA-96QP-8CMQ-JVQ8 AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Summary The endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory add.json.php,...
PT-2026-26785
Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description The plugin/Permissions/View/Users groups permissions/list.json.php endpoint in AVideo lacks authentication or authorization checks, allowing unauthenticated users to retrieve the complete...
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...
GHSA-G3HP-VVQF-8VW6 Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
Summary A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions. !NOTE This is a separate...
Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Description A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group membership...
Improper Privilege Management
Overview Affected versions of this package are vulnerable to Improper Privilege Management due to insufficient authorization enforcement when modifying user group memberships. An attacker can gain higher-level privileges by assigning highly privileged roles without proper validation of their own...
CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...
CVE-2026-31834 Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...