7471 matches found
iTop - User Enumeration via REST Endpoint
From the webservices/rest.php file, several operations are accessible from an unauthenticated user. One of them is doresetpwd, allowing to reset a user password. This feature can be abused to perform user enumeration when a non-existent user is provided. id: CVE-2024-51739 info: name: iTop - User...
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugin for WordPress versions = 1.0.7. An unauthenticated attacker can exploit the AJAX endpoint flrblocksusersettingshandleajaxcallback to change the administrator's email address. Subsequently, the attacker...
NocoDB < 0.258.0 - Reflected XSS in Password Reset
NocoDB versions before 0.258.0 contain a reflected cross-site scripting caused by insecure use of '\u003C%-' in resetPassword.ts, letting attackers execute malicious scripts in victims' browsers, exploit requires sending crafted requests to /api/v1/db/auth/password/reset/:tokenId. id:...
LG LED Assistant - Unauthenticated Password Reset
The /api/changePw endpoint in LG LED Assistant allows unauthenticated password resets when requests are considered to come from localhost. An attacker can spoof the X-Forwarded-For header with value 127.0.0.1 to trigger the behavior and receive a success response. id: CVE-2024-2862 info: name: LG...
BMC FootPrints - Authentication Bypass
BMC FootPrints versions 20.20.02 through 20.24.01.001 contain an authentication bypass vulnerability in the password reset functionality. Unauthenticated attackers can access the /footprints/servicedesk/passwordreset/request/ endpoint to obtain a valid SECTOKEN session cookie without proper...
Profile Builder < 3.4.9 - Improper Authentication
The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper...
Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover
Hippoo Mobile App for WooCommerce WordPress plugin = 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset. id: CVE-2026-10580 info: name: Hippoo Mobile App for...
Piwigo - User Enumeration via Password Reset
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at...
LiquidFiles < 4.2 - User Enumeration via Password Reset
LiquidFiles filetransfer server before 4.2 contains a user enumeration vulnerability caused by distinguishable responses in password reset functionality, letting unauthenticated attackers enumerate valid user accounts, exploit requires no authentication. id: CVE-2025-56132 info: name: LiquidFiles...
keycloak: Group-Admin Escalation to Realm-Admin
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-9099 Keycloak: group-admin escalation to realm-admin
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
EUVD-2026-39472
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-9099
Keycloak contains a flaw in GroupResource.addChild() in the Admin REST API where missing authorization allows an authenticated user with limited admin privileges to reparent any group. Under FGAPv2, a manager of a low-privilege group can reparent a highly privileged group (e.g., realm-admin) unde...
CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirmhash value to verify.php. id: CVE-2017-7615 THIS TEMPLATE IS ONLY FOR DETECTING To carry out further attacks, please see reference2 below. This template works by guessing user ID. MantisBT...
OctoberCMS - Account Takeover
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. id:...
CVE-2026-52809
Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...
CVE-2026-52809
Gogs (CVE-2026-52809) generates password-reset tokens using the ActivateCodeLives lifetime, not the configured ResetPasswordCodeLives. As a result, even if an admin sets a short RESET_PASSWORD_CODE_LIVES (e.g., 10 minutes), reset tokens remain valid for the full activation lifetime (e.g., 180 min...