CVE-2026-27894

LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with...

CVE-2024-4447

In the System → Maintenance tool, the Logged Users tab surfaces sessionId data for all users via the Direct Web Remoting API UserSessionAjax.getSessionList.dwr calls. While this is information that would and should be available to admins who possess "Sign In As" powers, admins who otherwise lack...

CVE-2024-5280

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack...

WebHMI 4.1 Cross Site Scripting Vulnerability

Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting XSS Authenticated Exploit Author: Antonio Cuomo arkantolo Vendor Homepage: https://webhmi.com.ua/en/ Version: WebHMI Firmware 4.1.1.7662 Tested on: WebHMI Firmware 4.1.1.7662 Steps to Reproduce 1. Login to admin account 2. Add a new register...

CVE-2022-23858

A flaw was found in the REST API. An improperly handled REST API call could allow any logged user to elevate privileges up to the system account. This affects StarWind Command Center build 6003 v2...

Quiz And Survey Master < 7.3.7 - CSRF

The plugin is lacking nonce check, which could allow attacker to make logged users perform unwanted actions via a CSRF attack...

Nextcloud: Reflected XSS in error pages (NC-SA-2017-008)

Hello, I found a HTML injection vulnerability 1 flaw in the Nextcloud and Owncloud latest version. Through this vulnerability an attacker could manipulate the website. This vulnerability could affect to the logged users. An attacker could send a malicious link that contains the manipulated URL to...

Mouse Media Script Stored XSS Vulnerability

Exploit for php platform in category web applications Login to system and upload any of your image. When uploading the image you need to enter the XSS Payload to "Title" and "Description" inputs. And then you can visit home page to check the uploaded payload. All these uploaded image and payload...

"Issue Does Not Exist" page leaks information to non-logged in users

Trying to open a URL for an issue that does not exist shows the "Issue Does Not Exist" error page, even if you are logged out and the project is not publicly viewable. In contrast, trying to open the URL for valid issue will prompt the user to login. In this way, an unprivileged user can learn...

Cybozu Garoon vulnerable to SQL injection

Overview Cybozu Garoon contains an SQL injection vulnerability. Cybozu Garoon provided by Cybozu is a groupware. Cybozu Garoon contains an SQL injection vulnerability. Ken Asai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

wls-xss.txt

Windows Live Spaces has a XSS vulnerability in NetworkSetup.aspx page. This vuln affects every windows live space and it works only on logged users. With this vuln you can grab cookies and so gain the access to the blog's admin panel, where you can edit user's options and data, MSN Messenger...

CVE-1999-1260

mSQL Mini SQL 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query...

CVE-1999-1260

mSQL Mini SQL 2.0.6 allows remote attackers to obtain sensitive server information such as logged users, database names, and server version via the ServerStats query...