24 matches found
EUVD-2026-20534
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given...
CVE-2026-35407 Saleor has Cross-Account Email Change via Unbound Confirmation Token
Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for the given...
CVE-2026-35407
Saleor’s CVE-2026-35407 describes a cross-account email-change weakness in the account email-change workflow. The confirmation token could be used for a different authenticated user, allowing the token’s new_email to update the second account’s address even though the token wasn’t issued for that...
CVE-2026-24932
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...
CVE-2026-24932
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...
CVE-2026-24932
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...
PT-2026-2832
The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the /wp-json/lottiefiles/v1/settings/ REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site...
Unverified Password Change
Overview flowise-ui is a Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the email address associated with an account without additional verification steps. Note:...
SUSE CVE-2016-11077
An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account...
EUVD-2020-1416
Malware in sbrugna...
EUVD-2023-44857
Malicious code in bioql PyPI...
CVE-2025-5060
The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebookajaxlogincallback. This makes it possible for...
CVE-2025-3880
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with...
CVE-2022-31185
mprweb is a hosting platform for the makedeb Package Repository. Email addresses were found to not have been hidden, even if a user had clicked the Hide Email Address checkbox on their account page, or during signup. This could lead to an account's email being leaked, which may be problematic if...
CVE-2021-37693
Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email...
About the security content of iOS 16.5 and iPadOS 16.5
About the security content of iOS 16.5 and iPadOS 16.5 This document describes the security content of iOS 16.5 and iPadOS 16.5. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches ...
RubyGems 授权问题漏洞
RubyGems is a Ruby package manager from the RubyGems organization. The product is primarily used to distribute and manage Ruby packages. RubyGems suffers from a security vulnerability that stems from an error in the password and email change confirmation code that allows an attacker to change the...
GHSA-RVFC-G8J5-9CCF Generation of Error Message Containing Sensitive Information in Keycloak
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack...
CVE-2020-1717
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack...
CVE-2020-1717
Keycloak 7.0.1 contains an account email enumeration issue where a logged-in user can determine whether an email is associated with an existing account. The CVE entry notes a low overall CVSS v3.1 base score (2.7) with Confidentiality impact as the primary concern; Privileges Required is High, an...