CVE-2023-50343

HCL DRYiCE MyXalytics is impacted by an Improper Access Control Controller APIs vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users...

Improper access control

HCL DRYiCE MyXalytics is impacted by an Improper Access Control Controller APIs vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users...

CVE-2023-50343 Improper Access Control (Controller APIs) affects DRYiCE MyXalytics

HCL DRYiCE MyXalytics is impacted by an Improper Access Control Controller APIs vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users...

PT-2024-13913 · Hcl · Hcl Dryice Myxalytics

Name of the Vulnerable Software and Affected Versions: HCL DRYiCE MyXalytics affected versions not specified Description: The issue is related to an Improper Access Control vulnerability in Controller APIs. Certain API endpoints, such as "/api/v1/login" or "/users/id", are accessible to Customer...

Code injection

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users...

PT-2023-31532 · Growi · Growi

Name of the Vulnerable Software and Affected Versions: GROWI versions prior to v6.0.6 Description: An improper authorization issue exists in the User Management page, specifically at the /admin/users endpoint. This issue can lead to unintended deletion or suspension of a user's account...

Weseek GROWI Security Vulnerability

Weseek GROWI is a team collaboration software from Weseek Japan. A security vulnerability exists in Weseek GROWI versions prior to 6.1.11, which stems from a stored cross-site scripting XSS vulnerability in the User Management /admin/users page...

PT-2023-31436 · Unknown · Customer Support System

Name of the Vulnerable Software and Affected Versions: Customer Support System version v1 Description: The issue is related to incorrect access control, allowing non-administrator users to access administrative pages and execute actions that are supposed to be reserved for administrators...

CVE-2023-5005 Autocomplete Location field Contact Form 7 < 3.0 - Admin+ Store Cross-Site Scripting

The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...

CVE-2023-5749

The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-48646

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings...

Command injection

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings...

CVE-2023-48646

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings...

CVE-2023-5140

The Bonus for Woo WordPress plugin before 5.8.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-3379 WAGO: Improper Privilege Management in web-based management

Wago web-based management of multiple products has a vulnerability which allows an local authenticated attacker to change the passwords of other non-admin users and thus to escalate non-root privileges...

PT-2023-7175 · Wago · Wago Touch Panel 600 +2

Name of the Vulnerable Software and Affected Versions: WAGO PFC100/PFC200 versions affected versions not specified WAGO Edge Controller versions affected versions not specified WAGO Touch Panel 600 versions affected versions not specified Description: The issue is related to errors in privilege...

EmbedPress < 3.9.2 - Reflected XSS

Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page containing the HTML code below...

CVE-2023-47511 WordPress Pinyin Slugs Plugin <= 2.3.0 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in SO WP Pinyin Slugs plugin = 2.3.0 versions...

CVE-2023-33480

RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. The vulnerabilities are caused by a lack of input...

Design/Logic Flaw

RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. The vulnerabilities are caused by a lack of input...