31 matches found
CVE-2026-43579
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...
CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...
CVE-2026-43579
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...
CVE-2026-42433
OpenClaw vulnerable before 2026.4.10: an authorization bypass lets an operator.write message-tool path access Matrix profile persistence with admin-level authority. Exploitation would allow non-owner message-tools to mutate persistent profile configuration due to insufficient access controls. Aff...
CVE-2026-42433
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner...
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
Summary Matrix profile config persistence was reachable from operator.write message tools. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Gateway operator.write message-tool paths could reach Matrix profile persistence that should have...
GHSA-F3H5-H452-VP3J OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...
CVE-2021-37270
There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority...
CVE-2019-12354
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php when the attacker has admin authority via the id parameter...
CVE-2019-12359
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyansendmail.php when the attacker has admin authority via the id parameter...
Cross site scripting
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Marco Milesi Amministrazione Trasparente plugin = 8.0.2 versions...
CVE-2022-22445
An attacker that gains service access to the FSP POWER9 only or gains admin authority to a partition can compromise partition firmware...
CVE-2022-22445
An attacker that gains service access to the FSP POWER9 only or gains admin authority to a partition can compromise partition firmware...
CVE-2022-22445
IBM PowerVM Hypervisor on POWER9 systems is affected by CVE-2022-22445. An attacker gaining service access to the FSP or admin authority in a partition can compromise partition firmware. The IBM advisory and related sources specify affected PowerVM Hypervisor versions FW1010 and later, FW950 and ...
Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware.
Summary PowerVM partition firmware is the portion that executes in each partition during boot. On POWER9 systems an attacker that gains service access to the FSP can compromise partition firmware for any partition configured on the system. On all affected systems an attacker that gains admin...
CVE-2019-12357
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php when the attacker has admin authority via the id parameter...
CVE-2019-12359
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyansendmail.php when the attacker has admin authority via the id parameter...
CVE-2019-12354
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php when the attacker has admin authority via the id parameter...
CVE-2019-12353
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dlsendmail.php when the attacker has admin authority via the id parameter...
Sql injection
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php when the attacker has admin authority via the id parameter...