151 matches found
EUVD-2022-5793
Malicious code in bioql PyPI...
EUVD-2025-25832
Malicious code in bioql PyPI...
GHSA-8PJC-487G-W6P2 vulnerabilities
Vulnerabilities for packages: nri-f5, wgcf, aws-eks-pod-identity-agent, nri-rabbitmq, kubernetes-csi-node-driver-registrar, kube-logging-operator, flux-operator, nodetaint, witness, helm-operator, chartmuseum, tekton-chains, zot, mongo-tools, swagger, conftest, helm-set-status, karpenter,...
CVE-2025-41702
The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...
CVE-2025-41702
The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...
CVE-2025-41702 egOS WebGUI Hard-Coded JWT Secret Enables Authentication Bypass
The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...
CVE-2025-41702
The CVE-2025-41702 entry concerns hard-coded JWT signing key in the egOS WebGUI backend, enabling an unauthenticated remote attacker to forge valid HS256 tokens and bypass authentication/authorization. Affected software includes egOS WebGUI-based gateways (examples cited: Welotec EG400Mk2/EG500Mk...
PT-2025-34744
Name of the Vulnerable Software and Affected Versions: egOS WebGUI affected versions not specified Description: The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass...
CVE-2023-51982
CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...
CVE-2019-14656
Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account with a password of user can make admin requests via HTTP...
CVE-2025-2907
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modi...
CVE-2025-1682
CVE-2025-1682 concerns the WordPress Cardealer theme (versions <= 1.6.4). The root cause is a missing capability check in the save_settings function, enabling an authenticated user with subscriber-level access or higher to perform an Arbitrary Theme Option Update and escalate privileges by cha...
PT-2025-3441 · Unknown · Macrozheng Mall-Tiny
Name of the Vulnerable Software and Affected Versions: Macrozheng Mall-Tiny version 1.0.1 Description: The issue is related to incorrect access control. By default, the project imports users, and a test user is granted super administrator privileges. Recommendations: For Macrozheng Mall-Tiny...
CVE-2024-28142
The CVE-2024-28142 entry describes stored cross-site scripting via improper input sanitization on the Image Access Scan2Net (and related lines) File Name input on the User Settings page (/cgi/uset.cgi?-cfilename). The root cause is inadequate filtering of the file name and wildcard character inpu...
PT-2024-22292 · Image Access Gmbh · Scan2Net
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser...
SUSE CVE-2024-7594
Vault's SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault's SSH secrets engine could be used to...
CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an...
CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an administrator user even if the...
CVE-2024-9858
CVE-2024-9858 affects Google Cloud Migrate to Containers for Windows (versions 1.1.0–1.2.2). The root cause is an insecure default local user, m2cuser, created with administrator privileges. If the analyze or generate workflow is interrupted or the local user is not deleted, this user could be ex...
PT-2024-39895 · WordPress · Userpro
Name of the Vulnerable Software and Affected Versions: UserPro plugin for WordPress versions up to, and including, 3.6.0 Description: The issue is related to privilege escalation due to the insecure 'administrator' default value for the default user role option. This allows unauthenticated...