211 matches found
CVE-2024-23831
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used...
CVE-2023-49262
The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session...
PT-2024-13719 · Hongdian · H8951-4G-Esp +1
Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: The authentication mechanism can be bypassed by overflowing the value of the authentication field in the Cookie, provided there is an active user session. Recommendations: At the moment,...
Improper Authorization
github.com/mattermost/mattermost/ is vulnerable to Improper Authorization. The vulnerability is caused when user receives updated permissions during active session. This freshly demoted guest can change group names...
PT-2023-9220 · Nextcloud +2 · Nextcloud Enterprise Server +3
Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 26.0.9 and 27.1.4 Nextcloud Enterprise Server versions prior to 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 Description: The issue is related to Nextcloud Server, an open source cloud platform, wher...
Code injection
ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to...
asyncua Improper Authentication vulnerability
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...
CVE-2023-26150
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...
UBUNTU-CVE-2023-26150
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...
CVE-2023-26150
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...
CVE-2023-26150
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...
The vulnerability of the QMS.Mobile module of the quality management software for automobile manufacturers allows a violator to intercept an active session.
The vulnerability of the QMS.Mobile module of the quality management software for automobile manufacturers, QMS Automotive, is related to incorrect session duration. Exploiting this vulnerability could allow an attacker to intercept the active session...
Cross site request forgery (csrf)
A cross-site request forgery CSRF token bypass was identified in PRTG 23.2.84.1566 and earlier versions that allows remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request. This could...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session. Remediation Upgrade asyncua to...
CVE-2022-4874
Authentication bypass in Netcomm router models NF20MESH, NF20, and NL1902 allows an unauthenticated user to access content. In order to serve static content, the application performs a check for the existence of specific characters in the URL .css, .png etc. If it exists, it performs a “fake logi...
Siemens POWER METER SICAM Q100 Session Fixed Vulnerability
The POWER METER SICAM Q100 is a multifunctional device for detecting, reporting and analyzing measured values and events. A session fixation vulnerability exists in the Siemens POWER METER SICAM Q100, which can be exploited by an attacker to gain access to a user's account via an active session...
CVE-2020-8976
The integrated server of the ZGR TPS200 NG on its 2.00 firmware version and 1.01 hardware version, allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request...
CVE-2020-8976
The integrated server of the ZGR TPS200 NG on its 2.00 firmware version and 1.01 hardware version, allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request...
CVE-2020-8976 ZGR TPS200 Cross-Site Request Forgery (CSRF)
The integrated server of the ZGR TPS200 NG on its 2.00 firmware version and 1.01 hardware version, allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request...
CVE-2020-8976
CVE-2020-8976 affects ZGR TPS200 NG (firmware 2.00, hardware 1.01). The vulnerability allows a remote attacker to perform actions with the victim user’s permissions when the victim has an active session and triggers a malicious request (CSRF). Documented impacts include high/critical Confidential...