31 matches found
CVE-2026-40325
Summary: CVE-2026-40325 affects Masa CMS (fork of Mura CMS). In versions up to 7.5.2, the cTrash.restore function fails to validate anti-CSRF tokens, allowing an attacker to lure a logged-in administrator into a forged request that restores deleted items and places them at an attacker-controlled ...
GHSA-M297-3JV9-M927 Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider IdP even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the...
CVE-2025-65669
An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction...
EUVD-2022-25608
Malicious code in bioql PyPI...
EUVD-2022-25609
Malicious code in bioql PyPI...
CVE-2022-20349
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
Teams - Error "Your Admin has restricted Access to the New Teams" in ICA session
When launching New Teams within Remote PC / ICA session, it seems to logon fine the first time. But when the user logs out and logs back in again to Teams the second time and any subsequent attempt, they see the following error message: "Your Admin has restricted Access to the New Teams"...
PT-2023-28714 · Unknown · Wpdatatables
Name of the Vulnerable Software and Affected Versions: wpDataTables versions prior to 2.1.66 Description: The issue concerns the deserialization of arbitrary data due to a lack of validation of the Serialized PHP array input data. This can potentially lead to remote code execution if a suitable...
Only admin can call peg functions
Lines of code Vulnerability details Impact Only admin multisig can call peg functions. This might delay re-pegs. Proof of Concept Both upperDepeg and lowerDepeg are meant to be called by any EOA or whitelisted contracts, but due to the onlyRole modifier, only the admin can currently call these...
PT-2023-23347 · Apache · Apache Streampipes
Name of the Vulnerable Software and Affected Versions: Apache StreamPipes versions 0.69.0 through 0.91.0 Description: A REST interface in Apache StreamPipes was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond th...
PT-2023-16742 · WordPress · Wc Sales Notification
Name of the Vulnerable Software and Affected Versions: WC Sales Notification WordPress plugin versions prior to 1.2.3 Description: The issue concerns a lack of CSRF check when activating plugins, which could allow attackers to make logged-in admins activate arbitrary plugins present on the blog v...
PT-2023-16310 · WordPress · Quickswish
Name of the Vulnerable Software and Affected Versions: QuickSwish WordPress plugin versions prior to 1.1.0 Description: The issue concerns a lack of CSRF check when activating plugins, which could allow attackers to make logged-in admins activate arbitrary plugins present on the blog via a CSRF...
PT-2023-16306 · WordPress · Ht Slider For Elementor
Name of the Vulnerable Software and Affected Versions: HT Slider For Elementor WordPress plugin versions prior to 1.4.0 Description: The issue concerns a lack of CSRF check when activating plugins, which could allow attackers to make logged-in admins activate arbitrary plugins present on the blog...
CVE-2022-36441
An issue was discovered in Zebra Enterprise Home Screen 4.1.19. The Gboard used by different applications can be used to launch and use several other applications that are restricted by the admin...
CVE-2022-20348
In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
CVE-2022-20348
In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
CVE-2022-20348
In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
CVE-2022-20349
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
CVE-2022-20349
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
Design/Logic Flaw
In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...