Lucene search
+L

64 matches found

Vulnrichment
Vulnrichment
added 2024/04/10 5:7 p.m.15 views

CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

7.2CVSS7.2AI score0.0095EPSS
Exploits1References2
Cvelist
Cvelist
added 2024/04/10 5:7 p.m.28 views

CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

7.2CVSS7.2AI score0.0095EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/04/10 12:0 a.m.6 views

PT-2024-24905 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The...

7.2CVSS6.9AI score0.0095EPSS
Exploits1References6
Code423n4
Code423n4
added 2023/12/21 12:0 a.m.10 views

Missing access control on critical functions

Lines of code Vulnerability details The broad admin role enables arbitrary manipulation of the heap without restrictions. Recommendation: Implement granular access control and privilege separation. Implement an access control system such as OpenZeppelin AccessControl to restrict access to these...

7.4AI score
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2023/02/01 11:19 a.m.16 views

Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation

Summary IBM Cloud Pak for Multicloud Management Monitoring has patched for users without admin roles. Non-admin user should not access to admin functions by specifying direct URL paths. Vulnerability Details IBM X-Force ID: 238210 DESCRIPTION: IBM Cloud Pak for Multicloud Management Monitoring...

6.6AI score
Exploits0Affected Software1
CVE
CVE
added 2023/01/16 3:37 p.m.65 views

CVE-2022-4327

CVE-2022-4327 corresponds to a PHP Object Injection issue in the WordPress plugin Anti-Malware Security and Brute-Force Firewall. The root cause is unsafe unserialize usage that can be exploited by privileged users (admin) to trigger gadget chains, enabling arbitrary object injection. Affected re...

6.8AI score
Exploits1
Prion
Prion
added 2022/12/12 6:15 p.m.19 views

Cross site scripting

The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks...

4.9CVSS5.3AI score0.00869EPSS
Exploits2References1Affected Software1
Code423n4
Code423n4
added 2022/08/15 12:0 a.m.11 views

Exposure of critical functions

Lines of code Vulnerability details Impact AdminRole mixin exposes critical functions without any restrictions like grantAdmin revokeAdmin Proof of Concept Criticial functions like grantAdmin can be externally accessed changing the critical roles like admin. // for eg: function grantAdminaddress...

7AI score
Exploits0
Hacker One
Hacker One
added 2022/06/20 4:3 p.m.29 views

Omise: Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite

hi team, I found that your site is vulnerable to Unauthorized Access lead to privilege escalation, where when the owner invites a user with admin roles, the user can still edit anything with admin access, via brupsuite, it should get an error message because the admin role has been removed...

0.3AI score
Exploits0
Positive Technologies
Positive Technologies
added 2022/04/13 12:0 a.m.4 views

PT-2022-13805 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 6.4.1 and earlier Description: The issue is related to improper privilege management in Mattermost, where an API fails to properly protect permissions. This allows authenticated members with restricted custom admin roles t...

4.3CVSS7AI score0.00625EPSS
Exploits0References10
NVD
NVD
added 2022/03/24 3:15 p.m.33 views

CVE-2022-0550

Improper Input Validation vulnerability in custom report logo upload in Nozomi Networks Guardian, and CMC allows an authenticated attacker with admin or report manager roles to execute unattended commands on the appliance using web server user privileges. This issue affects: Nozomi Networks...

8.6CVSS0.00868EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2022/03/24 2:15 p.m.19 views

CVE-2022-0551 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0

Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or import manager roles to execute unattended commands on the appliance using web server user privileges. This issue affects: Nozomi Networks Guardian...

8.6CVSS7.2AI score0.00868EPSS
Exploits0References1
Code423n4
Code423n4
added 2022/02/24 12:0 a.m.13 views

Foundation Treasury initialize() function can be called by an attacker first

Lines of code Vulnerability details Impact In FoundationTreasury.sol the initialize function can only be called once setting the admin and operator roles which are used in other contracts. The problem is that this initialize function is not called in any deployment script which means an attacker...

6.9AI score
Exploits0
Snyk
Snyk
added 2022/02/01 2:12 p.m.4 views

Cross-site Scripting (XSS)

Overview s-cart/core is a free Laravel e-commerce for business. Affected versions of this package are vulnerable to Cross-site Scripting XSS which can lead to cookie stealing of any victim that visits the affected URL so the attacker can gain unauthorized access to that user's account through the...

5.4CVSS5.2AI score0.0058EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2022/01/25 8:15 p.m.6 views

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

5.5CVSS6.2AI score0.0053EPSS
Exploits0References2
CVE
CVE
added 2021/07/02 5:51 p.m.61 views

CVE-2020-36396

The CVE refers to LavaLite 5.8.0, specifically a stored XSS in the /admin/roles/role component. An authenticated attacker can inject arbitrary web scripts/HTML via the New parameter, enabling script execution in the context of the logged-in user. The provided connected documents confirm the vulne...

5.4CVSS5.2AI score0.005EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2021/07/02 12:0 a.m.5 views

LavaLite 跨站脚本漏洞

Lavalite is an open source content management system developed using the Laravel framework. A stored cross-site scripting vulnerability exists in the /admin/roles/role component of LavaLite version 5.8.0, which can be exploited by an attacker to execute arbitrary Web script or HTML via the ""New"...

5.4CVSS5.5AI score0.005EPSS
Exploits1References1
Prion
Prion
added 2021/04/05 7:15 p.m.31 views

Authentication flaw

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with...

7.5CVSS9.5AI score0.14462EPSS
Exploits3References3Affected Software1
WPVulnDB
WPVulnDB
added 2021/03/08 12:0 a.m.41 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even ...

7.5CVSS0.9AI score0.14462EPSS
Exploits3References2Affected Software1
RedHat Linux
RedHat Linux
added 2017/06/28 2:52 p.m.10 views

openstack-keystone: Incorrect role assignment with federated Keystone

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...

7.2CVSS5.8AI score0.02106EPSS
Exploits1References4
Rows per page
Query Builder