37 matches found
PT-2026-46887
Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.18 Shopware versions prior to 6.7.10.1 Description An attacker can enumerate administrator usernames by performing a timing attack. This occurs because the getUserEntityByUserCredentials function in the...
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...
GHSA-9HX7-C53C-V6X8 Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...
keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
Important: Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update
New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security...
CVE-2026-37981
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
CVE-2026-37981 Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
CVE-2026-37981
Keycloak CVE-2026-37981 describes a broken access control in the Account Resources user lookup endpoint, where a remote authenticated user owning at least one UMA resource can enumerate and harvest PII for all realm users by sending crafted requests with arbitrary usernames or emails. The endpoin...
CVE-2026-37981 Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
CVE-2026-37981
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak. This vulnerability stems from an access control flaw in the Account Resources user lookup endpoint. It allows remote authenticated users who have at least one...
Revive Adserver: Information Disclosure via “Add user” lookup in Account Management (User Access)
Version: ==revive-adserver 6.0.0== Flow Administrator Account ├── Management 1 │ ├── User A1 │ └── User A2 └── Management 2 ├── User B1 leak email, contacname └── User B2 leak email, contacname Summary: When a user under Management 1 navigates to User Access → Add user and enters a username, the...
EUVD-2022-48755
Malicious code in bioql PyPI...
CVE-2022-45910
Improper neutralization of special elements used in an LDAP query 'LDAP Injection' vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries DoS, additional queries, filter manipulation during...
CVE-2024-53679
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevate...
CVE-2024-53679
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevate...
CVE-2024-53679
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevate...
CVE-2024-53679
CVE-2024-53679 is an Apache VCL XSS in the User Lookup form. The issue is caused by improper neutralization of input during web page generation, allowing a user with sufficient rights to craft or click a URL that can elevate privileges for a specified user. Affected software: Apache VCL up to ver...
CVE-2024-53679 Apache VCL: XSS vulnerability in User Lookup impacting user privileges
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevate...
CVE-2023-39469
PaperCut NG External User Lookup Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut NG. Authentication is required to exploit this vulnerability. The specific flaw exists within the Externa...