Privilege Escalation

@oneuptime/common is vulnerable to privilege escalation. The vulnerability is due to improper validation of the isMasterAdmin parameter in the login response, which allows an attacker to manipulate its value and gain unauthorized access to the admin dashboard...

CVE-2026-0397

When the internal webserver is enabled default is disabled, an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration o...

CVE-2025-70064

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

CVE-2025-70064

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

CVE-2025-70064

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

PT-2026-20484

PHPGurukul Hospital Management System v4.0 contains a Privilege Escalation vulnerability. A low-privileged user Patient can directly access the Administrator Dashboard and all sub-modules e.g., User Logs, Doctor Management by manually browsing to the /admin/ directory after authentication. This...

CVE-2026-23880

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin wh...

CVE-2024-41246

An Incorrect Access Control vulnerability was found in /smsa/admindashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard...

EUVD-2024-38471

Malicious code in bioql PyPI...

CVE-2024-9161

The CVE-2024-9161 entry affects the WordPress plugin Rank Math SEO – AI SEO Tools to Dominate SEO Rankings (versions up to 1.0.228). The root cause is a missing capability check in the function update_metadata , which allows unauthenticated users to insert, update, or delete metadata (including u...

CVE-2024-40480

CVE-2024-40480 affects Kashipara Online Exam System v1.0. The vulnerability is a Broken Access Control in /admin/update.php and /admin/dashboard.php that allows remote unauthenticated attackers to view the admin dashboard and delete valid user accounts via direct URL access. The issue is confirme...

CVE-2024-40480

A Broken Access Control vulnerability was found in /admin/update.php and /admin/dashboard.php in Kashipara Online Exam System v1.0, which allows remote unauthenticated attackers to view administrator dashboard and delete valid user accounts via the direct URL access...

CVE-2024-41246

An Incorrect Access Control vulnerability was found in /smsa/admindashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard...

CVE-2024-41246

An Incorrect Access Control vulnerability was found in /smsa/admindashboard.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view administrator dashboard...

CVE-2024-36819

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting XSS. This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee...

CVE-2024-36819

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting XSS. This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee...

PT-2023-25175 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 1.18.8 Description: The issue is related to a missing authorization check, allowing unauthorized users to manipulate a dashboard created by the administrator in an open source data visualization analysis tool...

CVE-2022-1549

The WP Athletics WordPress plugin through 1.1.7 does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability...

XSS affecting "Logs" Page

Description A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the...

CMS Made Simple Remote Code Execution Vulnerability (CNVD-2018-08922)

CMS Made Simple CMSMS is an open source content management system CMS developed by the CMSMS team. The system supports role-based rights management system , wizard-based installation and update mechanism , intelligent caching mechanism and so on. A remote code execution vulnerability exists in th...