Lucene search
+L

5 matches found

OSV
OSV
added 2026/07/10 6:39 p.m.5 views

CVE-2026-55460 Snipe-IT: Authorization bypass on bulk editing users

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with deleteuser=1 because BulkUsersController::destroy authorizes only update, allowing the user to...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/06/08 3:41 p.m.13 views

CVE-2026-48507 Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users

Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag which determines whether or not a user can login and the...

7.1CVSS5.5AI score0.00194EPSS
Exploits0References2
Hacker One
Hacker One
added 2016/09/16 5:46 a.m.15 views

Shopify: Open redirect in bulk edit

Hi , I have found an open redirection issue when bulk editing resources. PoC: Go to https://.myshopify.com/admin/bulk?resourcename=Product&returnto=/..//evil.com then click the Close button and you'll go to evil.com Thanks!...

7AI score
Exploits0
Hacker One
Hacker One
added 2015/06/24 7:36 a.m.23 views

Shopify: XSS at Bulk editing ProductVariants

Steps to Reproduce: 1.Create a Product with Title and Description as " 2. Now goto https://blahblah.myshopify.com/admin/products/inventory 3. Select the Product created at Step 1 and Click on Edit variants and XSS will be triggered...

Exploits0
Hacker One
Hacker One
added 2015/06/10 8:15 a.m.19 views

Shopify: XSS at Bulk editing products

after following above the steps in 67125 goto Bulk editing products: for me the url was: https://img-src-x-onerror-prompt1-24.myshopify.com/admin/bulk?resourcename=Product&edit=variants.sku%2Cvariants.price%2Cvariants.compareatprice&message=&returnto=%2Fadmin%2Fproducts&ids=1151578433 it is also...

0.1AI score
Exploits0
Rows per page
Query Builder