305 matches found
CVE-2020-36894
CVE-2020-36894 affects Eibiz i-Media Server Digital Signage 3.8.0. The vulnerability is an authentication bypass in which crafted AMF-encoded objects manipulated at /messagebroker/amf allow unauthenticated attackers to create administrator users, bypassing security controls. Multiple connected so...
WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
This module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows unauthenticated attackers to specify the userrole parameter during...
EUVD-2021-34725
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users...
CVE-2021-47730
CVE-2021-47730 affects Selea Targa IP OCR-ANPR Camera and is a cross-site request forgery that allows an attacker to create an admin user without authentication. The provided documents state that a malicious page can submit a form to add a new administrator with full system privileges when a logg...
CVE-2021-47730 Selea Targa IP Camera Cross-Site Request Forgery via Admin Creation
Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user...
CVE-2021-47730 Selea Targa IP Camera Cross-Site Request Forgery via Admin Creation
Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user...
CVE-2021-47723 STVS ProVision Cross-Site Request Forgery (Add Admin)
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users...
CVE-2021-47723
CVE-2021-47723 affects STVS ProVision 5.9.10 and is a Cross-Site Request Forgery vulnerability where unvalidated HTTP requests allow an attacker to perform actions with admin privileges (e.g., create new admin users). The Red Hat and EUVD entries mirror this description. No exploitation details a...
CVE-2021-47723 STVS ProVision Cross-Site Request Forgery (Add Admin)
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users...
📄 WordPress AI Engine 3.1.3 Remote Code Execution
This Metasploit module exploits an unauthenticated vulnerability in the WordPress AI Engine plugin versions less than or equal to 3.1.3. The vulnerability allows an attacker to create an administrator account via the MCP Model Context Protocol endpoint without authentication. The module supports...
CVE-2025-62189
Summary: CVE-2025-62189 affects LogStare Collector, with an incorrect authorization in the UserRegistration component that could allow a non-administrative user to create new accounts via a crafted HTTP request. The issue is corroborated across multiple sources (NVD, Red Hat, JVN, CVE listings). ...
CVE-2025-63221
The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...
CVE-2025-63221
The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...
EUVD-2025-198156
The Axel Technology WOLF1MS and WOLF2MS devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...
CVE-2025-63218
The Axel Technology WOLF1MS and WOLF2MS devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...
CVE-2025-63223
The Axel Technology StreamerMAX MK II devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...
CVE-2025-63218
The CVE-2025-63218 vulnerability affects Axel Technology WOLF1MS and WOLF2MS devices (firmware 0.8.5–1.0.3). It is caused by Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, enabling unauthenticated remote attackers to list user accounts, create administr...
PT-2025-46973
Name of the Vulnerable Software and Affected Versions: Fortinet FortiWeb versions 7.0.0 through 8.0.1 Description: A relative path traversal vulnerability exists in Fortinet FortiWeb versions 7.0.0 through 8.0.1. This flaw allows an unauthenticated attacker to execute administrative commands on t...
CVE-2025-11855
The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the agerestrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password...
PT-2025-46301
Name of the Vulnerable Software and Affected Versions age-restriction WordPress plugin versions through 3.0.2 Description The age-restriction WordPress plugin does not have proper authorisation within the age restrictionRemoteSupportRequest function. This allows authenticated users, even those wi...