Lucene search
K

236 matches found

Cvelist
Cvelist
added 2026/04/14 12:0 a.m.32 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

0.00311EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.8 views

Snipe-IT 安全漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Version Snipe-IT v8.4.0 contains a security vulnerability. This vulnerability stems from the improper authorization in the/api/v1/users/id endpoint, which may allow authenticated attackers with the...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3
CVE
CVE
added 2026/04/14 12:0 a.m.15 views

CVE-2026-38533

CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3Affected Software1
NVD
NVD
added 2026/04/10 7:16 p.m.7 views

CVE-2026-33736

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS0.00209EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/10 7:3 p.m.2 views

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS5.8AI score0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/10 7:3 p.m.19 views

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS0.00209EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-32025

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLE STUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS5.8AI score0.00209EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.10 views

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained security vulnerabilities. These vulnerabilities allowed an...

6.5CVSS5.9AI score0.00209EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/05 9:30 p.m.4 views

EUVD-2019-20099

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint...

5.3CVSS5.9AI score0.00132EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/05 9:30 p.m.6 views

EUVD-2019-20073

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

8.8CVSS6.1AI score0.00311EPSS
Exploits1References5
NVD
NVD
added 2026/04/05 9:16 p.m.6 views

CVE-2019-25669

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

8.8CVSS0.00311EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/05 8:45 p.m.23 views

CVE-2019-25682 CMSsite 1.0 Cross-Site Request Forgery via users.php

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint...

5.3CVSS0.00132EPSS
Exploits1References3
CVE
CVE
added 2026/04/05 8:45 p.m.13 views

CVE-2019-25682

CMSsite 1.0 contains a cross-site request forgery (CSRF) vulnerability in users.php that allows authenticated administrators to be tricked into submitting POST requests (e.g., source=add_user, source=edit_user, or del=1) to create, modify, or delete admin accounts. The attack is network-based wit...

5.3CVSS5.9AI score0.00132EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/04/05 8:45 p.m.10 views

CVE-2019-25669

qdPM 9.1 is affected by an SQL injection vulnerability in the search_by_extrafields[] parameter. An attacker can craft malicious values and send POST requests to the users endpoint to trigger SQL syntax errors and exfiltrate database information. The issue arises from unvalidated input used in da...

8.8CVSS6.1AI score0.00311EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/04/05 8:45 p.m.22 views

CVE-2019-25669 qdPM 9.1 SQL Injection via search_by_extrafields Parameter

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

8.8CVSS0.00311EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/05 8:45 p.m.2 views

CVE-2019-25669 qdPM 9.1 SQL Injection via search_by_extrafields Parameter

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

8.8CVSS6.1AI score0.00311EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/05 8:45 p.m.1 views

CVE-2019-25669

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

8.8CVSS6.1AI score0.00311EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/05 12:0 a.m.19 views

PT-2026-30478

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search by extrafields parameter. Attackers can send POST requests to the users endpoint with malicious search by extrafields values to trigger SQL syntax errors...

8.8CVSS6.1AI score0.00311EPSS
Exploits1References5
NVD
NVD
added 2026/04/04 2:16 p.m.7 views

CVE-2016-20053

Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields...

6.9CVSS0.00146EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/04 1:50 p.m.2 views

CVE-2016-20053 Redaxo CMS 5.2 Cross-Site Request Forgery via users endpoint

Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields...

6.9CVSS5.9AI score0.00146EPSS
Exploits1References2
Rows per page
Query Builder