3941 matches found
CVE-2012-2054
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...
CVE-2012-2054
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...
Security feature bypass
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...
Security feature bypass
GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the publickeyuserid value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability...
CVE-2008-7310
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...
CVE-2008-7309
Insoshi before 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the ForumPost userid value via a modified URL, related to a "mass assignment" vulnerability...
Security feature bypass
Insoshi before 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the ForumPost userid value via a modified URL, related to a "mass assignment" vulnerability...
Security feature bypass
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability...
CVE-2008-7309
CVE-2008-7309 describes a mass-assignment flaw in Insoshi prior to 20080920, where an attacker can bypass restrictions by manipulating a request hash to set ForumPost.user_id via a modified URL. The issue stems from insufficient restrictions on model attribute assignment. The core impact is unaut...
CVE-2008-7310
CVE-2008-7310 involves Spree 0.2.0 where improper mass assignment allows an attacker to manipulate a hash to set the Order state via a modified URL, bypassing the intended payment step. The core issue is inadequate restrictions on model attribute assignment, enabling remote modification of order ...
CVE-2008-7309
Insoshi before 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the ForumPost userid value via a modified URL, related to a "mass assignment" vulnerability...
CVE-2012-2054
CVE-2012-2054 refers to a mass-assignment vulnerability in Redmine prior to version 1.3.2. The issue allows remote attackers to set attributes for multiple models (Comment, Document, IssueCategory, MembersController, Message, News, TimeEntry, Version, Wiki, UserPreference, Board) by manipulating ...
CVE-2012-2055
GitHub Enterprise before 20120304 is affected by a mass-assignment vulnerability where the software does not properly restrict a hash when filling model attributes, allowing remote attackers to set public_key[user_id] via a manipulated URL to the public-key update form. Root cause: inadequate fil...
CVE-2012-2054
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...
CVE-2012-2055
GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the publickeyuserid value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability...
CVE-2012-2054
Redmine before 1.3.2 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set attributes in the 1 Comment, 2 Document, 3 IssueCategory, 4 MembersController, 5 Message, 6 News, 7 TimeEntry, 8 Version, 9 Wiki, 10 UserPreference, o...
PT-2012-3769 · Github · Github Enterprise
Name of the Vulnerable Software and Affected Versions: GitHub Enterprise versions prior to 20120304 Description: The issue allows remote attackers to set the public keyuser id value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability. This occurs becaus...
DSA-2443-1 linux-2.6 - several
Bulletin has no description...
Ruby On Rails Attributes Mass Assignment Scanner
This module scans Ruby On Rails sites for models with attributes not protected by attrprotected or attraccessible. After attempting to assign a non-existent field, the default rails with activerecord setup will raise an ActiveRecord::UnknownAttributeError exception, and reply with HTTP code 500...
Liferay Portal 6.1 - 6.0.x Privilege Escalation
Exploit for java platform in category web applications Liferay users can assign themselves to organizations, leading to possible privilege escalation Description: Liferay Portal is an enterprise portal written in Java Due to insufficient permission checking in the updateOrganizations method of...