72 matches found
CVE-2026-2693 CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization
A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executing a manipulation can lead to improper authorization. The attack can be launched remotely. The...
CVE-2026-2693 CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization
A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executing a manipulation can lead to improper authorization. The attack can be launched remotely. The...
CVE-2026-2693 CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization
A vulnerability was determined in CoCoTeaNet CyreneAdmin up to 1.3.0. This vulnerability affects unknown code of the file /api/system/dashboard/getCount of the component System Info Endpoint. Executing a manipulation can lead to improper authorization. The attack can be launched remotely. The...
CVE-2026-2693
CVE-2026-2693 affects CoCoTeaNet CyreneAdmin up to version 1.3.0. The vulnerability resides in the System Info Endpoint component, specifically /api/system/dashboard/getCount, where improper authorization can be exploited. The issue can be triggered remotely over the network, and public disclosur...
CVE-2025-60800
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request...
PT-2025-44195
Name of the Vulnerable Software and Affected Versions jshERP versions prior to commit 90c411a Description An access control issue exists in the /jshERP-boot/user/info interface of jshERP. An attacker can obtain sensitive information by sending a specially crafted GET request to this interface. Th...
CVE-2025-60800
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request...
CVE-2025-9240 elunez eladmin info information disclosure
A security flaw has been discovered in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file /auth/info. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited...
CVE-2025-9240 elunez eladmin info information disclosure
A security flaw has been discovered in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file /auth/info. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited...
CVE-2025-24496
CVE-2025-24496 affects Tenda AC6 V5.0 V02.03.01.110. The information-disclosure flaw resides in /goform/getproductInfo; Talos notes an authentication bypass when requesting this URL, allowing a non-authenticated retrieval of module data via the generic getter, potentially exposing configuration d...
WordPress plugin bSecure 安全漏洞
WordPress bSecure plugin is a plugin used to enhance the security of the website, mainly for the payment page of GiveWP to provide security features. An elevation of privilege vulnerability exists in the WordPress bSecure plugin, which stems from a lack of authorization in the orderinfo REST...
CVE-2025-5416
CVE-2025-5416 concerns Keycloak exposing sensitive environment information via the authenticated-accessible endpoint /admin/serverinfo . Multiple sources describe an information-disclosure flaw that can reveal internal server details when an authenticated user accesses the endpoint. The NVD and R...
CVE-2024-56361
LGSL Live Game Server List provides online status for games. Before 7.0.0, a stored cross-site scripting XSS vulnerability was identified in lgsl. The function lgslquery40 in lgslprotocol.php has implemented an HTTP crawler. This function makes a request to the registered game server, and upon...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS by sending a crafted payload to the /info endpoint via the lgslquery40 function. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an...
PT-2024-36803 · Lgsl · Lgsl
Name of the Vulnerable Software and Affected Versions: LGSL versions prior to 7.0.0 Description: A stored cross-site scripting XSS vulnerability was identified in LGSL. The issue arises from improper sanitation of user input. The function lgsl query 40 in lgsl protocol.php has implemented an HTTP...
PT-2024-34374 · Unknown · Python Food Ordering System
Name of the Vulnerable Software and Affected Versions: python food ordering system version V1.0 Description: The python food ordering system has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through the...
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
Impact The Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream...
CVE-2024-39315 Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be...
PT-2024-28365 · Idccms · Idccms
Name of the Vulnerable Software and Affected Versions: idccms version 1.35 Description: A Cross-Site Request Forgery CSRF issue was discovered in the component /admin/info deal.php?mudi=del&dataType=news&dataTypeCN. This issue allows for unauthorized requests to be made. The mudi, dataType, and...
Linksys E5600 Command Injection Vulnerability
Linksys E5600 is a powerful, compact and reliable WiFi 5 router from Linksys USA. A command injection vulnerability exists in the Linksys E5600 v1.1.0.26, which stems from the failure of the PinCode parameter of the /API/info form endpoint to properly filter constructed command special characters...