3 matches found
CVE-2018-25370
Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting rolesfunction.php with parameters like rolassignroles, rolapproveusers, and...
DRUPAL-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...
CVE-2023-25569
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cooki...