298 matches found
CVE-2023-33480
RemoteClinic 2.0 contains a critical vulnerability chain that can be exploited by a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. The vulnerabilities are caused by a lack of input...
PT-2023-24356 · Unknown · Remote Clinic
Name of the Vulnerable Software and Affected Versions: RemoteClinic version 2.0 Description: The issue is caused by a lack of input validation and access control in the "staff/register.php" endpoint and the "edit-my-profile.php" page. This allows a remote attacker with low-privileged user...
Exploit for Improper Input Validation in Atlassian Confluence_Data_Center
RedTeamTool-CVE-2023-22515 – Vulnerability Exploitation Tool...
Luxcal Event Calendar 3.2.3 Cross Site Request Forgery
==================================================================================================================================== | Title : Luxcal Event Calendar v3.2.3 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 63.0.3 32-bit...
Italia Mediasky CMS 2.0 Cross Site Request Forgery
==================================================================================================================================== | Title : İtalia Mediasky CMS v2.0 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 63.0.3 32-bit | |...
Doubleclick Admin 1 Cross Site Request Forgery
==================================================================================================================================== | Title : Doubleclick Admin v1 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 115.0.264-bit | |...
WebCalendar 1.3 Cross Site Request Forgery
==================================================================================================================================== | Title : WebCalendar v1.3 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 69.032-bit | | Vendor :...
Courier Deprixa Pro Integrated Web System 3.2.5 Cross Site Request Forgery
==================================================================================================================================== | Title : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla...
XLAgenda 4.4 Cross Site Request Forgery
==================================================================================================================================== | Title : XLAgenda v4.4 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 65.032-bit | | Vendor :...
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1, 5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1, 5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number within the X-WCPAY-PLATFORM-CHECKOUT-USER heade...
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 CVSS score: 9.8, impacts all versions of the Ultimate Member plugin, including the latest version 2.6.6 tha...
PT-2023-24941 · WordPress · Ultimate Member
Name of the Vulnerable Software and Affected Versions: Ultimate Member WordPress plugin versions prior to 2.6.7 Description: The issue allows attackers to create user accounts with arbitrary capabilities, effectively enabling them to create administrator accounts at will. This is being actively...
PT-2023-6751 · Minio +2 · Minio +2
Name of the Vulnerable Software and Affected Versions: Minio versions prior to RELEASE.2023-03-20T20-16-18Z Description: The issue is related to insufficient access control in Minio, a Multi-Cloud Object Storage framework. Minio fails to filter the character, which allows for arbitrary object...
Nextcloud 资源管理错误漏洞
Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A resource management error vulnerability exists in Nextcloud Server versions prior to 23.0.11, 24.0.7, and 25.0.0, which stems from creating a user as an...
CVE-2022-28169
Brocade Webtools in Brocade Fabric OS versions before Brocade Fabric OS versions v9.1.1, v9.0.1e, and v8.2.3c could allow a low privilege webtools, user, to gain elevated admin rights, or privileges, beyond what is intended or entitled for that user. By exploiting this vulnerability, a user whose...
CVE-2022-36634
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5r allows attackers to arbitrarily create admin users via a crafted HTTP request...
API Privilege Escalation
Description Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. On Easy!Appointments API authorizati...
Zero-channel BBS Plus vulnerable to cross-site scripting
Overview Zero-channel BBS Plus by Zero-Channel BBS Plus Developers is a bulletin board CGI script. Zero-channel BBS Plus contains a cross-site scripting vulnerability CWE-79. Zero-Channel BBS Plus Developers reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
Subrion CMS 跨站请求伪造漏洞
Subrion CMS is a PHP-based content management system CMS from the Subrion team. The system can be integrated into websites and supports multiple extension plugins, etc. A security vulnerability exists in Subrion CMS 4.2.1, which allows a remote, unauthenticated, malicious user to send authorizati...
CVE-2022-22294
A SQL injection vulnerability exists in ZFAKA=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account...