21 matches found
CVE-2026-42610
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...
CVE-2026-42610
Grav CMS vulnerability CVE-2026-42610: A low-privilege user can bypass Twig sandbox via grav['accounts'] to load administrative user objects and extract sensitive data (e.g., bcrypt password hashes and the security salt). This information disclosure affects Grav before 2.0.0-beta.2. The issue is ...
Grav 安全漏洞
Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Versions of Grav prior to 2.0.0-beta.2 contained security vulnerabilities. These vulnerabilities...
GHSA-3F29-PQWF-V4J4 Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...
Incorrect Authorization
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Incorrect Authorization via the grav'accounts' service. An attacker can access sensitive user data, including password hashes and security...
PT-2026-37276
Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A low-privileged user, such as a Content Editor with pages.update permissions, can bypass Twig sandbox restrictions by utilizing the grav'accounts' service. This allows an attacker to...
Azure Linux 3.0 Security Update: accountsservice (CVE-2012-6655)
The version of accountsservice installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2012-6655 advisory. - An issue exists AccountService 0.6.37 in the userchangepasswordauthorizedcb function in user.c which...
USN-6687-1 accountsservice vulnerability
It was discovered that AccountsService called a helper incorrectly when performing password change operations. A local attacker could possibly use this issue to obtain encrypted passwords...
USN-6190-2 accountsservice vulnerability
USN-6190-1 fixed a vulnerability in AccountsService. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker...
USN-6190-1 accountsservice vulnerability
Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker could use this issue to cause AccountsService to crash, resulting in a denial of service, or possibly execute arbitrary code...
Malicious code in fc-accounts-service (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b557b50f99f6f32efe3fd6bfa3bd3a29383430ab4a8beab13cf65d210eaf549d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-329 Malicious code in fc-accounts-service (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b557b50f99f6f32efe3fd6bfa3bd3a29383430ab4a8beab13cf65d210eaf549d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2012-2737
The userchangeiconfileauthorizedcb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition...
SUSE CVE-2018-14036
Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in userchangeiconfileauthorizedcb in user.c...
The vulnerability of the AccountsService modification (debian/patches/0010-set-language.patch) in the Ubuntu operating system allows a hacker to increase their privileges.
The vulnerability of the AccountsService modification debian/patches/0010-set-language.patch in the Ubuntu operating system involves the release of previously unallocated memory. Exploiting this vulnerability can allow an attacker to increase their privileges...
CVE-2020-16126
An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion...
AZL-44049 CVE-2012-6655 affecting package accountsservice for versions less than 23.13.9-1
An issue exists AccountService 0.6.37 in the userchangepasswordauthorizedcb function in user.c which could let a local users obtain encrypted passwords...
UBUNTU-CVE-2018-14036
Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in userchangeiconfileauthorizedcb in user.c...
CVE-2012-2737
The userchangeiconfileauthorizedcb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition...