188 matches found
GHSA-9CQM-5WF7-WCJ7 XWiki Platform users may execute anything with superadmin right through comments and async macro
Impact Comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki conten...
CVE-2023-26471
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
Design/Logic Flaw
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471
CVE-2023-26471 concerns XWiki Platform where, starting with 11.6-rc-1, comments can trigger an asynch macro that executes code with superadmin rights despite restricted mode. The underlying issue is that the async macro does not honor restricted mode, enabling any user with comment rights to run ...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
PT-2023-20662 · Xwiki · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 11.6-rc-1 through 14.8 XWiki Platform versions 14.4.0 through 14.4.5 XWiki Platform versions 13.10.0 through 13.10.9 Description: The XWiki Platform is a generic wiki platform where comments are supposed to be executed...
Stored Cross-Site Scripting (XSS)
Description Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though. Proof of Concept Steps to reproduce: 1. Log in to the admin account 2. Go to Admin - General Settings 3. Enter the Payload in the Login Note and Dashboard Message fields. 4. Go to...
CVE-2022-23061
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin although this cannot happen according to the documentation via Insecure Direct Object Reference IDOR vulnerability...
Design/Logic Flaw
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin although this cannot happen according to the documentation via Insecure Direct Object Reference IDOR vulnerability...
CVE-2022-23061
Shopizer vulnerability CVE-2022-23061 affects Shopizer 2.0–2.17.0. A regular admin can permanently delete a superadmin via an Insecure Direct Object Reference (IDOR) flaw. Root cause: insufficient access control/IDOR exposure in admin actions. Documented as possibly not allowed by the product doc...
CVE-2022-23061
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin although this cannot happen according to the documentation via Insecure Direct Object Reference IDOR vulnerability...
Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
✍️ Description Attacker can delete any Exports for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Export's names on server. I convert the...
Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure Vulnerabilities
Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure Exploit Author: Berkan Er Vendor Homepage: https://www.sonlogger.com/ Version: 4.2.3.3 Tested on: Windows 10 Enterprise x64 Version 1803 A remote attacker can be create an user with SuperAdmin profile...
Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure
Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure Date: 04-02-2021 Exploit Author: Berkan Er Vendor Homepage: https://www.sonlogger.com/ Version: 4.2.3.3 Tested on: Windows 10 Enterprise x64 Version 1803 A remote attacker can be create an user with SuperAdmin...
CVE-2021-27963
SonLogger before 6.4.1 is affected by user creation with any user permissions profile e.g., SuperAdmin. An anonymous user can send a POST request to /User/saveUser without any authentication or session header...
Session fixation
SonLogger before 6.4.1 is affected by user creation with any user permissions profile e.g., SuperAdmin. An anonymous user can send a POST request to /User/saveUser without any authentication or session header...
Exploit for Missing Authentication for Critical Function in Sfcyazilim Sonlogger
CVE-2021-27964 | SonLogger - Unauthenticated Arbitrary File U...
Exploit for Improper Input Validation in Joomla Joomla\!
Made by HK CVE-2020-11890: Improper input validations in th...