PT-2024-31241 · Mgt Commerce Gmbh · Cloudpanel

Name of the Vulnerable Software and Affected Versions: MGT-COMMERCE GmbH CloudPanel versions 2.0.0 through 2.4.2 Description: An Improper Authorization Access Control Misconfiguration issue allows low-privilege users to bypass access controls, gaining unauthorized access to sensitive configuratio...

CVE-2024-45164

Akamai SIA Secure Internet Access Enterprise ThreatAvert, in SPS Security and Personalization Services before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticat...

CVE-2023-38052 A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} in EasyAppointments < 1.5.0

A BOLA vulnerability in GET, PUT, DELETE /admins/adminId allows a low privileged user to fetch, modify or delete a high privileged user admin. This results in unauthorized access and unauthorized data manipulation...

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The...

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The...

CVE-2024-29837

The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below uses poor session management, allowing for an unauthenticated attacker to access administrator functionality if any other user is already signed in...

PT-2024-23074

Name of the Vulnerable Software and Affected Versions Evolution Controller versions 2.04.560.31.03.2024 and below Description The Web interface of Evolution Controller uses poor session management, allowing an unauthenticated attacker to access administrator functionality if any other user is...

Tramyardg Autoexpress 1.3.0 Authentication Bypass Vulnerability

Tramyardg Autoexpress version 1.3.0 allows for authentication bypass via unauthenticated API access to admin functionality. This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles. Exploit Title: tramyardg autoexpress - Authentication Bypass...

CVE-2024-0797 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 - Missing Authorization

The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 1.0.6.1. This makes it possible fo...

PT-2023-21685 · Peplink · Peplink Surf Soho

Name of the Vulnerable Software and Affected Versions: peplink Surf SOHO HW1 version 6.3.5 Description: An OS command injection issue exists in the admin.cgi MVPN trial init functionality. A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP...

Code injection

SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality...

CVE-2020-10129 CVE-2020-10129

SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality...

CVE-2023-3034

Reflected XSS affects the ‘mode’ parameter in the /admin functionality of the web application in versions =2.0.44...

CVE-2023-3034

Reflected XSS affects the ‘mode’ parameter in the /admin functionality of the web application in versions =2.0.44...

CVE-2023-3034

Summary: CVE-2023-3034 is a reflected XSS vulnerability in the BKG Ntrip Professional Caster (NtripCaster) web app, affecting versions &lt;= 2.0.44. The issue is triggered via the ‘mode’ parameter in the /admin endpoint. Affected software: BKG Ntrip Professional Caster (NtripCaster)

Contact Form by WD <= 1.13.23 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. When editing a form, go to "Settings MySQL Mapping". 2. Click "Add a Query" 3. When mapping the form to the database in...

Lost And Found Information System 1.0 Broken Access Control / Privilege Escalation

Vulnerability: Broken Access Control Author: Akash Pandey CVE: CVE-2023-3018 Source: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html Steps to re-produce: 1. Go to https://site.com/admin/?page=user/list as staff user...

Cross site scripting

A vulnerability has been found in emlog and classified as problematic. Affected by this vulnerability is an unknown functionality of the file admin/articlesave.php. The manipulation of the argument tag leads to cross site scripting. The attack can be launched remotely. The name of the patch is...

Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/Edit a Course, add a new Topic and put the following...

CVE-2022-35909

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality...