Yii Framework Cross-Site Request Forgery (CSRF)

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity...

Moodle does not consider the moodle/tag:flag capability

tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as...

GHSA-6VC5-V7HW-H5H2 Cross-site Scripting in RosarioSIS

RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php...

Cross-site Scripting in RosarioSIS

RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php...

Simple Forum-Discussion System SQL Injection Vulnerability

Simple Forum-Discussion System is a simple forum/discussion system. SQL injection vulnerability exists in Simple Forum-Discussion System, which originates in various components such as manage topic.php, manage user.php and ajax.php. Lack of validation of externally entered SQL statements. An...

CVE-2021-41696

An authentication bypass account takeover vulnerability exists in Premiumdatingscript 4.2.7.7 due to a weak password reset mechanism in requests\user.php...

CVE-2021-41694

An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php...

Design/Logic Flaw

An issue in the component route\user.php of Xiuno BBS v4.0.4 allows attackers to enumerate usernames...

PT-2021-10414 · Zzcms · Zzcms

Name of the Vulnerable Software and Affected Versions: ZZCMS version 2018 Description: A remote code execution issue in the template user.php file allows attackers to execute arbitrary PHP code. This is achieved via the ml and title parameters. Recommendations: For ZZCMS version 2018, consider...

CASAP Automated Enrollment Cross-Site Scripting Vulnerability (CNVD-2021-57776)

CASAP Automated Enrollment is an automated enrollment system for the CASAP organization in the United States. The purpose of the project is to provide CASAP with an automated enrollment system to streamline the school process and make it more effective, efficient and easy to retrieve...

in beestat/app

✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. In this case the function that generates weak random numbers is mtrand in user.php at line 58. 🕵️‍♂️ Proof of Concept Vulnerable Code / Create an anonymous user so we can log in and have access...

CVE-2020-20640

Cross Site Scripting XSS vulnerability in ECShop 4.0 due to security filtering issues, in the user.php file, we can use the html entity encoding to bypass the security policy of the safety.php file, triggering the xss vulnerability...

in phpservermon/phpservermon

✍️ Description The random number generator implemented by mtrand cannot withstand a cryptographic attack. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. In this case the function that generates...

CVE-2020-22723

A cross-site scripting XSS vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address...

Cross site scripting

A cross-site scripting XSS vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address...

CVE-2020-22723

A cross-site scripting XSS vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address...

CVE-2020-25004

Heybbs v1.2 has a SQL injection vulnerability in user.php file via the ID parameter which may allow a remote attacker to execute arbitrary code...

Sql injection

Heybbs v1.2 has a SQL injection vulnerability in user.php file via the ID parameter which may allow a remote attacker to execute arbitrary code...

CVE-2020-25004

CVE-2020-25004 affects Heybbs v1.2. The vulnerability is a SQL injection in the user.php file via the ID parameter that may allow a remote attacker to execute arbitrary code. According to the connected documents, exploitation details are not provided in these sources, and CVSS metrics from NVD in...

CVE-2020-25004

Heybbs v1.2 has a SQL injection vulnerability in user.php file via the ID parameter which may allow a remote attacker to execute arbitrary code...