Incorrect Authorization

Overview generator-jhipster is a development platform to generate, develop and deploy Spring Boot + Angular / React / Vue Web applications and Spring microservices. Affected versions of this package are vulnerable to Incorrect Authorization via the authorities parameter in the response from the...

CVE-2025-43712

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLEUSER. By manipulating the authorities...

CVE-2025-53373

Natours (Tour Booking API) has a Host header injection vulnerability in the /forgetpassword endpoint that lets an attacker take over a victim's account by supplying an attacker-controlled server domain. The issue is mitigated by the fix in commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b. Affected...

CVE-2022-30618

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

Shopware 6 allows attackers to check for registered accounts through the store-api

Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response "errors":"status":"404","code":"CHECKOUTCUSTOMERNOTFOUND","title":"Not...

CVE-2024-47758 GLPI vulnerable to account takeover without privilege escalation through the API

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue...

FreeBSD : glpi -- SQL Injection in Search API (0ba61fcc-3b38-11eb-af2a-080027dbe4b7)

MITRE Corporation reports : In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or...

CVE-2020-28329

Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Versions: 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19...

CVE-2020-28329

Barco wePresent WiPG-1600W is affected by CVE-2020-28329 and related CVEs due to hardcoded credentials in the firmware. Affected firmware versions include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19. The vulnerability arises because an API account and password are embedded in the firmware image and...

glpi -- SQL Injection in Search API

MITRE Corporation reports: In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or databa...