CVE-2023-49079 Misskey's missing signature validation allows arbitrary users to impersonate any remote user.

Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1...

Delete Usermetas < 1.2.0 - Cross-Site Request Forgery

Description The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumetoptionspage function. This makes it possible for unauthenticated attackers to remove user meta for...

CVE-2023-5537 Delete Usermetas <= 1.1.2 - Cross-Site Request Forgery

The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumetoptionspage function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users vi...

Design/Logic Flaw

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdmwpdeleteusermeta, pmdmwpdeletetermmeta, and pmdmwpajaxdeletemeta functions in versions up to, and including, 1.2.0. This makes it possible for...

Add arbitrary users to the user group

Description Add arbitrary users to the user group Proof of Concept 1 .Administrator user haido456 creates a user group name : group456 2 .User hai123 has general user rights but has the right to add arbitrary users to the user group: group456 3 .This includes users that the admin does not want...

CVE-2023-4307

The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack...

Anhui Green Persimmon Information Technology Co., Ltd. has a logic flaw vulnerability in LiveQing (CNVD-2023-78411)

LiveQing Aoki video streaming service solution. Anhui Green Persimmon Information Technology Co., Ltd LiveQing has a logic flaw vulnerability that can be exploited by attackers to add arbitrary users...

Anhui Green Persimmon Information Technology Co., Ltd LiveQing has a logic flaw vulnerability

LiveQing Aoki video streaming service solution. Anhui Green Persimmon Information Technology Co., Ltd LiveQing has a logic flaw vulnerability that can be exploited by attackers to delete arbitrary users...

Remote Code Execution (RCE)

gitlab is vulnerable to Remote Code Execution RCE. This vulnerability occurs due to a flaw in the way that GitLab handles group SAML SSO. An attacker can exploit this vulnerability to invite arbitrary users to a group, and then change the user's email address to an attacker-controlled address. Th...

InstaWP Connect < 0.0.9.19 - Unauthenticated Data Modification

Description The plugin does not have authorisation check in its eventsreceiver function, allowing unauthenticated users to create/update/delete posts/taxonomy, install/activate/deactivate plugin, update the customizer settings as well as create/update/delete arbitrary users...

CVE-2023-25780

It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, resulting in serious consequence...

CVE-2023-25780

It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, resulting in serious consequence...

Authentication flaw

It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, resulting in serious consequence...

PT-2023-20297 · Unknown · Status Powerbpm

Name of the Vulnerable Software and Affected Versions: Status PowerBPM affected versions not specified Description: The issue is related to insufficient authentication in a specific function of Status PowerBPM. A LAN attacker with normal user privileges can exploit this to modify the substitute...

CVE-2023-24599

OX App Suite before backend 7.10.6-rev37 allows authenticated users to change the appointments of arbitrary users via conflicting ID numbers, aka "ID confusion."...

CVE-2023-25589 Unauthenticated Arbitrary User Creation Leads to Complete System Compromise

A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise...

CVE-2023-25589

The CVE-2023-25589 entry concerns Aruba Networks ClearPass Policy Manager. The web-based management interface vulnerability allows an unauthenticated remote attacker to create arbitrary user accounts, enabling total cluster compromise. Affected software is ClearPass Policy Manager (web UI) with i...

PT-2023-2114 · Aruba · Clearpass Policy Manager

Name of the Vulnerable Software and Affected Versions: ClearPass Policy Manager affected versions not specified Description: A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform...

K15229: BIG-IQ / BIG-IP privilege escalation vulnerability CVE-2014-3220

Security Advisory Description F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/. CVE-2014-3220 Impact An authenticated user with limited...

Tiki Wiki CMS Groupware 24.0 grid.php PHP Object Injection Vulnerability

----------------------------------------------------------------------------- Tiki Wiki CMS Groupware const popChain = 'O:25:"SearchElasticConnection":1:S:31:"\00SearchElasticConnection\00bulk";O:28:"SearchElasticBulkOper...