CVE-2024-4928

A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /simple-online-bidding-system/admin/ajax.php?action=deletecategory. The manipulation of the argument id leads to sql...

CVE-2024-1339

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.13. This is due to missing or incorrect nonce validation on the reinitialize function. This makes it possible for unauthenticated attackers to remove...

Blood Bank & Donor Management SQL Injection Vulnerability

Blood Bank & Donor Management is a blood bank and donor management system. Blood Bank & Donor Management version 5.6 suffers from a SQL injection vulnerability that originates from a flaw in the /admin/request-received-bydonar.php file...

thirty bees Cross-Site Scripting Vulnerability

thirty bees is a mature e-commerce solution by thirty bees open source. A cross-site scripting vulnerability exists in versions prior to thirty bees 1.5.0 that stems from a security issue in the component admin/AdminRequestSqlController.php that allows an attacker to execute arbitrary web script ...

PT-2023-29774 · Unknown · Thirty Bees

Name of the Vulnerable Software and Affected Versions: thirty bees versions prior to 1.5.0 Description: A stored cross-site scripting XSS issue exists due to error mishandling in the admin/AdminRequestSqlController.php component, allowing attackers to execute arbitrary web script or HTML via the...

CVE-2023-51051

S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the Atextauth parameter at /admin/ajax.php...

PT-2023-21723 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.0.3 Discourse versions prior to 3.1.0.beta4 Description: Discourse is an open source platform for community discussion. A maliciously crafted request from a Discourse administrator can lead to a long-running...

Cross site scripting

In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable against stored XSS vulnerability notifications section which can be directly triggered by sending an ally request to the admin...

GHSA-XQ58-69H2-765M Cross Site Request Forgery in mailman

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request using that token to set a new admin password or make other changes...

Cross Site Request Forgery in mailman

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request using that token to set a new admin password or make other changes...

USN-5180-1 mailman vulnerability

It was discovered that Mailman incorrectly handled CSRF tokens. A remote list member or moderator could possibly use their own token to craft an admin request CSRF attack and set a new admin password or make other changes...

mailman: CSRF token bypass allows to perform CSRF attacks and admin takeover

A Cross-Site Request Forgery CSRF attack can be performed in mailman due to a CSRF token bypass. CSRF tokens are not checked against the right type of user when performing admin operations and a token created by a regular user can be used by an admin to perform an admin-level request, effectively...

CVE-2021-44227

GNU Mailman 2.1.x prior to 2.1.38 is affected by CVE-2021-44227, allowing a list member or moderator to obtain a CSRF token and craft an admin request that can change settings or reset the admin password, potentially leading to admin takeover. Multiple advisories confirm the issue across distribu...

CVE-2021-44227

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request using that token to set a new admin password or make other changes...

CVE-2021-44227

Removed by vendor...

CVE-2021-3135

An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php tdblockid parameter in a tdajaxblock API call...

Design/Logic Flaw

An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The faroptionspage function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript,...

CVE-2020-4362

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929...

CVE-2019-9040

S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user via the admin/ajax.php?type=admin&action=add URI, a related issue to CVE-2018-19332...

CVE-2018-20571

DamiCMS 6.0.1 allows remote attackers to read arbitrary files via a crafted admin.php?s=Tpl/Add/id request, as demonstrated by admin.php?s=Tpl/Add/id/.\Public\Config\config.ini.php to read the global configuration file...