CVE-2024-53357

Multiple SQL injection vulnerabilities in EasyVirt DCScope = 8.6.0 and CO2Scope = 1.3.0 allows remote authenticated attackers, with low privileges, to 1 add an admin user via the /api/user/addalias route; 2 modifiy a user via the /api/user/updatealiasroute; 4 delete users via the /api/user/delali...

CVE-2024-13218 Fast Tube <= 2.3.1 - Reflected XSS

The Fast Tube WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-22220

VMware Aria Operations for Logs contains a privilege escalation vulnerability. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user...

CVE-2025-22220 VMware Aria Operations for Logs broken access control vulnerability (CVE-2025-22220)

VMware Aria Operations for Logs contains a privilege escalation vulnerability. A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user...

Cross-site Scripting (XSS)

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Cross-site Scripting XSS when uploading a PDF. An admin user can upload a PDF containing malicious scripts that will be executed in another user's session...

WordPress plugin Simple Image Sizes 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin ... A cross-site scripting...

CVE-2025-0701

A vulnerability classified as critical has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This affects an unknown part of the file /admin/sys/user/list. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely...

CVE-2024-12703

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file...

Schneider Electric RemoteConnect and SCADAPack 代码问题漏洞

Schneider Electric RemoteConnect and SCADAPack is a single software tool from Schneider Electric, France, for users to monitor, configure, program, and debug SCADAPack Smart RTUs. A code issue vulnerability exists in Schneider Electric RemoteConnect and SCADAPack that stems from the inclusion of ...

CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/orgid/users/emailid allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the...

CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/orgid/users/emailid allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the...

CVE-2025-0215 UpdraftPlus - Backup/Restore <= 1.24.12 - Reflected Cross-Site Scripting

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiaterestore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for...

Cross-site Scripting (XSS)

Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS by an admin user who injects a malicious script into the "List name" field of a new campaign at the /admin/modules/newsletter/lists endpoint. The...

bookstore 代码注入漏洞

bookstore is an e-commerce bookstore system by donglight individual developer. A code injection vulnerability exists in bookstore version 1.0.0, which originates from the updateUser function in the file src/main/Java/org/zdd/bookstore/web/controller/admin/AdminUserControlle.java, which can lead t...

PT-2025-2055 · Unknown · Donglight Bookstore电商书城系统说明

Name of the Vulnerable Software and Affected Versions: donglight bookstore电商书城系统说明 version 1.0.0 Description: A vulnerability was found in the updateUser function of the file src/main/Java/org/zdd/bookstore/web/controller/admin/AdminUserControlle.java. The manipulation leads to cross site...

CVE-2024-54818

SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list...

SourceCodester Computer Laboratory Management System 安全漏洞

SourceCodester Computer Laboratory Management System is a SourceCodester open source computer laboratory management system. A security vulnerability exists in SourceCodester Computer Laboratory Management System version 1.0, which originates from an attack that makes it vulnerable to false access...

PT-2025-1795 · Payu · Payu Commercepro Plugin For Wordpress

Name of the Vulnerable Software and Affected Versions: PayU CommercePro Plugin for WordPress versions up to, and including, 3.8.3 Description: The issue is due to the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's...

PT-2025-4308

Name of the Vulnerable Software and Affected Versions ClipBucket V5 versions prior to 5.5.1 - 239 Description A file upload vulnerability exists in the Manage Playlist functionality of the application, specifically surrounding the uploading of playlist cover images. Without proper checks, an...

WukongCRM 安全漏洞

WuKong WukongCRM is a Customer Relationship Management CRM system from China Wukong WuKong. A security vulnerability exists in WukongCRM-11.0-JAVA version 11.3.3, which originates from an arbitrary file upload vulnerability in the /adminUser/updateImg component, which can be exploited to execute...