236 matches found
CVE-2026-38533
An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...
Snipe-IT 安全漏洞
Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Version Snipe-IT v8.4.0 contains a security vulnerability. This vulnerability stems from the improper authorization in the/api/v1/users/id endpoint, which may allow authenticated attackers with the...
CVE-2026-38533
CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...
CVE-2026-33736
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...
CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...
CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...
PT-2026-32025
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLE STUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...
Chamilo LMS 安全漏洞
Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained security vulnerabilities. These vulnerabilities allowed an...
EUVD-2019-20099
CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint...
EUVD-2019-20073
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...
CVE-2019-25669
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...
CVE-2019-25682 CMSsite 1.0 Cross-Site Request Forgery via users.php
CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint...
CVE-2019-25682
CMSsite 1.0 contains a cross-site request forgery (CSRF) vulnerability in users.php that allows authenticated administrators to be tricked into submitting POST requests (e.g., source=add_user, source=edit_user, or del=1) to create, modify, or delete admin accounts. The attack is network-based wit...
CVE-2019-25669
qdPM 9.1 is affected by an SQL injection vulnerability in the search_by_extrafields[] parameter. An attacker can craft malicious values and send POST requests to the users endpoint to trigger SQL syntax errors and exfiltrate database information. The issue arises from unvalidated input used in da...
CVE-2019-25669 qdPM 9.1 SQL Injection via search_by_extrafields Parameter
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...
CVE-2019-25669 qdPM 9.1 SQL Injection via search_by_extrafields Parameter
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...
CVE-2019-25669
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...
PT-2026-30478
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search by extrafields parameter. Attackers can send POST requests to the users endpoint with malicious search by extrafields values to trigger SQL syntax errors...
CVE-2016-20053
Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields...
CVE-2016-20053 Redaxo CMS 5.2 Cross-Site Request Forgery via users endpoint
Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields...