298 matches found
CVE-2023-53895
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
CVE-2023-53895
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
CVE-2023-53895 PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
EUVD-2023-60195
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
CVE-2023-53895
PimpMyLog 1.7.14 is affected by an improper access control vulnerability that lets remote attackers create admin accounts via the configuration endpoint (/configuration). The unsanitized username field can be exploited to inject JavaScript, enabling a hidden backdoor and potential access to serve...
CVE-2023-53895 PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
π Gnuboard 5.6.23 SQL Injection / Code Execution
Gnuboard version 5.6.23 installation exploit that can identify SQL injection and potentially achieve remote code execution. ============================================================================================================================================= | Title : Gnuboard v5.6.23...
PT-2025-51743
Name of the Vulnerable Software and Affected Versions PimpMyLog version 1.7.14 Description The software contains an improper access control issue that allows remote attackers to create administrator accounts without authorization through the configuration endpoint. Attackers can exploit the...
EUVD-2025-203469
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the...
CVE-2025-58173 FreshRSS vulnerable to authenticated RCE via path traversal inside include()
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language user configuration parameter, it's possible to call install.php and perform various administrative actions as an unprivileged user. These actions include logging in as the...
CVE-2020-36894
Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative...
EUVD-2020-30838
Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative...
EUVD-2020-30832
All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft a malicious web page that automatically submits forms to create a new user with global...
CVE-2020-36894
Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative...
CVE-2020-36886
SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full...
CVE-2020-36894
CVE-2020-36894 affects Eibiz i-Media Server Digital Signage 3.8.0. The vulnerability is an authentication bypass in which crafted AMF-encoded objects manipulated at /messagebroker/amf allow unauthenticated attackers to create administrator users, bypassing security controls. Multiple connected so...
WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE
This module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows unauthenticated attackers to specify the userrole parameter during...
EUVD-2021-34725
STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users...
CVE-2021-47730 Selea Targa IP Camera Cross-Site Request Forgery via Admin Creation
Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user...
CVE-2021-47730
CVE-2021-47730 affects Selea Targa IP OCR-ANPR Camera and is a cross-site request forgery that allows an attacker to create an admin user without authentication. The provided documents state that a malicious page can submit a form to add a new administrator with full system privileges when a logg...