2475 matches found
CVE-2024-33891
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId attribute...
CVE-2024-4198
Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests...
CVE-2024-32470
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4...
CVE-2024-3029
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multiusermode'. The...
CVE-2024-3029 Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multiusermode'. The...
The vulnerability of the CMS system Netcat, related to the manipulation of inter-site requests, allows a hacker to create a new user with administrator privileges.
The vulnerability of the CMS system Netcat is related to the manipulation of inter-site requests. Exploiting this vulnerability allows a malicious actor to create a new user with administrator privileges by sending a specially crafted request...
XWiki 13.9-rc-1 < 14.10.19, 15.0-rc-1 < 15.5.4, 15.6-rc-1 < 15.9 RCE Vulnerability (GHSA-r5vh-gc3r-r24w)
Xwiki is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...
CVE-2024-31988
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, b...
CVE-2024-31988 XWiki Platform CSRF remote code execution through the realtime HTML Converter API
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, b...
EUVD-2024-1290
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, b...
CVE-2024-31988
CVE-2024-31988 affects XWiki Platform where the realtime editor can lead to arbitrary remote code execution when an admin with programming rights visits a crafted URL or views an image containing that URL (e.g., in a comment). Affected versions are 13.9-rc-1 and earlier, specifically before 14.10...
CVE-2024-31988 XWiki Platform CSRF remote code execution through the realtime HTML Converter API
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, b...
CVE-2024-31988 XWiki Platform CSRF remote code execution through the realtime HTML Converter API
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, b...
XWiki Platform CSRF remote code execution through the realtime HTML Converter API
Impact When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the...
GHSA-R5VH-GC3R-R24W XWiki Platform CSRF remote code execution through the realtime HTML Converter API
Impact When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the...
CVE-2024-3101 Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...
CVE-2024-3101 Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...
CVE-2024-3537
A vulnerability was found in Campcodes Church Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/adminuser.php. The manipulation of the argument firstname leads to sql injection. The attack may be initiated remotely. The exploit has bee...
Church Management System 跨站脚本漏洞
Church Management System is a church management system. A cross-site scripting vulnerability exists in version 1.0 of the Church Management System, which stems from a cross-site scripting vulnerability in the firstname parameter of the /admin/adminuser.php file...
PT-2024-15932 · WordPress · Wp Erp
Name of the Vulnerable Software and Affected Versions: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress versions up to, and including, 1.12.9 Description: The issue is related to time-based SQL Injection via the id parameter due to...