75 matches found
CVE-2026-53871
Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the getprofilecookie function that accepts unauthenticated profile names from the hermesprofile cookie. An authenticated attacker can forge the hermesprofile cookie value to bypass profile-scoped authorization checks a...
CVE-2026-53871
Hermes WebUI prior to version 0.51.368 contains an authorization bypass in get_profile_cookie() that accepts unauthenticated profile names via the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie to bypass profile-scoped authorization and access sessions, files...
CVE-2026-20219
A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed...
Incorrect Authorization
Overview org.webjars.npm:auth0-js is a Client Side Javascript toolkit for Auth0 API. Affected versions of this package are vulnerable to Incorrect Authorization via token validation. An attacker can gain unauthorized access to user profile information by providing a specifically crafted invalid I...
CVE-2026-5708
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio RES prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with...
CVE-2026-4314
The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $SERVER'REQUESTURI' to...
CVE-2026-1436
Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...
CVE-2026-1436
Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...
CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface
Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...
CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface
Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...
CVE-2026-1436
Graylog API vulnerability CVE-2026-1436 affects Graylog API version 2.2.3. An authenticated user can access other users’ profiles by altering the URL /users/, due to missing object‑level authorization checks on that endpoint (http://:12900/users/). Impact includes exposure of names, emails, inter...
PT-2026-20392
Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...
PT-2026-7858
An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL...
CVE-2022-27958
Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information...
CVE-2025-22420
In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-22420
In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
EUVD-2020-18955
Malware in sbrugna...
EUVD-2005-4281
Malware in sbrugna...
EUVD-2017-1440
Malware in sbrugna...
EUVD-2006-0112
Malware in sbrugna...