509 matches found
CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...
CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...
CVE-2026-35181
CVE-2026-35181 affects WWBN AVideo prior to 29.x. The endpoint admin/playerUpdate.json.php does not validate CSRF tokens, and the ORM security check excludes the plugins table via ignoreTableSecurityCheck(), removing the remaining defense. Coupled with SameSite=None cookies, an authenticated admi...
AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...
CVE-2026-28767 Gardyn Cloud API Missing Authentication for Critical Function
A specific administrative endpoint notifications is accessible without proper authentication...
CVE-2026-32646 Gardyn Cloud API Missing Authentication for Critical Function
A specific administrative endpoint is accessible without proper authentication, exposing device management functions...
CVE-2026-32646
A specific administrative endpoint is accessible without proper authentication, exposing device management functions...
PT-2026-30285
Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to missing restoreTenant from the adminMutationMWConfig. An attacker can overwrite the entire database, read arbitrary server-side files, and perform server-side request forgery by sending crafted requests to t...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to missing restoreTenant from the adminMutationMWConfig. An attacker can overwrite the entire database, read arbitrary server-side files, and perform server-side request forgery by sending crafted requests to t...
org.keycloak.services.resources.admin.UserResource: Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...
EUVD-2026-17630
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-29909
MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials...
PT-2026-29352
Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo’s admin plugin configuration endpoint admin/save.json.php is susceptible to cross-site request forgery CSRF attacks due to the absence of CSRF token validation. The application's configuration...
CVE-2026-29909
MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, allowing remote attackers to enumerate directory contents on the server without any credentials...
PT-2026-28657
Name of the Vulnerable Software and Affected Versions itsourcecode Free Hotel Reservation System version 1.0 Description A manipulation of the image argument in the file '/admin/mod amenities/index.php?view=add' causes unrestricted upload. The attack can be carried out remotely. The exploit has...
CVE-2026-33501
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...
Incorrect Privilege Assignment
Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the signupHandler function. An attacker can gain full administrative privileges by registering a new account when self-registration is enabled and the default permissions include administrative rights...
GHSA-XH32-C9WX-PHRP Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...
EUVD-2026-11107
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized...