11 matches found
phpMyFAQ 4.0.16 - Improper Authorization
Exploit Title: phpMyFAQ = 4.0.16 - Improper Authorization Google Dork: N/A Date: 2026-01-23 Exploit Author: GUIA BRAHIM FOUAD Vendor Homepage: https://www.phpmyfaq.de/ Software Link: https://www.phpmyfaq.de/download/ Version: = 4.0.16 REQUIRED Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x,...
CVE-2026-24421
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...
CVE-2026-24421
Summary: CVE-2026-24421 affects phpMyFAQ before 4.0.17. Versions 4.0.16 and earlier have flawed authorization logic that exposes the /api/setup/backup endpoint to any authenticated user. The code uses userIsAuthenticated() without verifying configuration/admin permissions, allowing non-admin user...
CVE-2025-69200
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...
EUVD-2025-204302
A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...
CVE-2025-63386
A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...
PT-2025-52262
Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description A Cross-Origin Resource Sharing CORS misconfiguration exists in the /console/api/setup endpoint. The endpoint has an insecure CORS policy that reflects any Origin header and allows Access-Control-Allow-Credential...
CVE-2025-63386
CVE-2025-63386 affects Dify v1.9.1, specifically the /console/api/setup endpoint. The vulnerability arises from a misconfigured CORS policy that reflects any Origin header and sets Access-Control-Allow-Credentials: true, allowing arbitrary external domains to make authenticated requests. Impact i...
WordPress InstaWP Connect plugin <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability
Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability discovered by Truoc Phan in WordPress Plugin InstaWP Connect versions = 0.1.0.38...
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to conne...
TeleGram-Scraper - Telegram Group Scraper Tool (Fetch All Information About Group Members)
Telegram Group Scraper Tool. Fetch All Information About Group Members • How To Install & Setup API Termux • API Setup Go to http://my.telegram.org and log in. Click on API development tools and fill the required fields. put app name you want & select other in platform Example : copy "apiid" &...