GHSA-VQ4Q-79HH-Q767 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...

DRUPAL-CONTRIB-2024-044

This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...

XWiki Platform 安全漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the French company XWiki. A security vulnerability exists in XWiki Platform xwiki-platform-oldcore version 11.7RC1 and later versions, which stems from a missing authorization in UsersetDisabledStatus...

CVE-2022-41929 Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in UsersetDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched ...