5 matches found
CVE-2026-55460 Snipe-IT: Authorization bypass on bulk editing users
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with deleteuser=1 because BulkUsersController::destroy authorizes only update, allowing the user to...
CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...
Shopify: Open redirect in bulk edit
Hi , I have found an open redirection issue when bulk editing resources. PoC: Go to https://.myshopify.com/admin/bulk?resourcename=Product&returnto=/..//evil.com then click the Close button and you'll go to evil.com Thanks!...
Shopify: XSS at Bulk editing ProductVariants
Steps to Reproduce: 1.Create a Product with Title and Description as " 2. Now goto https://blahblah.myshopify.com/admin/products/inventory 3. Select the Product created at Step 1 and Click on Edit variants and XSS will be triggered...
Shopify: XSS at Bulk editing products
after following above the steps in 67125 goto Bulk editing products: for me the url was: https://img-src-x-onerror-prompt1-24.myshopify.com/admin/bulk?resourcename=Product&edit=variants.sku%2Cvariants.price%2Cvariants.compareatprice&message=&returnto=%2Fadmin%2Fproducts&ids=1151578433 it is also...