325 matches found
Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection Vulnerability
----------------------------------------------------------------------------- Tiki Wiki CMS Groupware const popChain = 'O:25:"SearchElasticConnection":1:S:31:"\00SearchElasticConnection\00bulk";O:28:"SearchElasticBulkOper...
CVE-2022-4024 Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts...
CVE-2022-3930
The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own...
Design/Logic Flaw
The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own...
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
The plugin does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts PoC Invoke the following curl command to delete the user user id 2 curl https://example.com/wp-admin/admin-ajax.php...
CVE-2022-42750
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user...
Cross site scripting
SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks...
CVE-2022-30935
An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed...
The vulnerability of the TUG Home Base Server, related to deficiencies in the authentication process, allows attackers to add and remove arbitrary users.
The vulnerability of the TUG Home Base Server is related to deficiencies in the authentication process. Exploiting this vulnerability allows a malicious actor to add and remove arbitrary users remotely...
CVE-2022-1605
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
CVE-2022-1605
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
The vulnerability of SCIM (System of Cross-domain Identity Management) function of the Git-based software platform for collaborative code development on GitLab arises from the ability to invite arbitrary users through their user names and email addresses. This allows a malicious actor to gain control over user accounts by modifying their email addresses.
The vulnerability of SCIM System of Cross-domain Identity Management in the Git-based software platform for collaborative code development on GitLab relates to the ability to invite arbitrary users through their user names and email addresses. Exploiting this vulnerability could allow a malicious...
Moodle multiple cross-site request forgery (CSRF) vulnerabilities
Multiple cross-site request forgery CSRF vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to 1 mod/lesson/mediafile.php or 2...
GHSA-WPQ5-Q3MJ-8F3R Moodle multiple cross-site request forgery (CSRF) vulnerabilities
Multiple cross-site request forgery CSRF vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a 1 mod/lti/requesttool.php or 2...
GHSA-G77G-VJJM-X83J Apache Tomcat Example Application CSRF and XSS Vulnerabilities
Cross-site request forgery CSRF vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters...
Apache Tomcat Example Application CSRF and XSS Vulnerabilities
Cross-site request forgery CSRF vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters...
Cross site request forgery (csrf)
A Cross-Site Request Forgery CSRF in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI...
CVE-2021-36776 Steve API proxy impersonation
A Improper Access Control vulnerability in SUSE Rancher allows remote attackers impersonate arbitrary users. This issue affects: SUSE Rancher Rancher versions prior to 2.5.10...
The vulnerability of the virtual learning environment Moodle, related to the lack of access control, allows a violator to remove arbitrary users.
The vulnerability of the virtual learning environment Moodle is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to remove arbitrary users remotely...
CVE-2021-45809
GlobalProtect-openconnect versions prior to 1.4.3 are affected by incorrect access control in GPService through DBUS, GUI Application. The way GlobalProtect-Openconnect is set up enables arbitrary users to execute commands as root by submitting the --script= parameter...