14 matches found
CVE-2026-30941
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
EUVD-2026-10551
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...
CVE-2026-30941
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
CVE-2026-30941 Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email...
PT-2025-46914
Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0 Description Directus allows authenticated users to search concealed or sensitive fields when they have read permissions. While the actual values are masked, successful matches can be detected through returned...
CVE-2025-34133 Wimi Teamwork < v7.38.17 CSRF
Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery CSRF vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrftoken' without validating the field’s value; only the presence of the field is checked. An attacker can craf...
Wimi Teamwork 安全漏洞
Wimi Teamwork is a team collaboration cloud platform from Wimi USA. A security vulnerability exists in Wimi Teamwork versions prior to 7.38.17 that stems from the API not validating the csrftoken field value, which could lead to a cross-site request forgery attack...
CVE-2023-44158
Sensitive information disclosure due to insufficient token field masking. The following products are affected: Acronis Cyber Protect 15 Linux, Windows before build 35979...
PT-2022-21724 · Unknown +1 · Power Distribution Units +1
Name of the Vulnerable Software and Affected Versions: Power Distribution Units running on Powertek firmware versions prior to 3.30.30 Description: The issue concerns an insecure permissions setting on the user.token field, which is accessible through the "/cgi/get param.cgi" HTTP API endpoint...
Password and token field in Receiver change after authenticating on Netscaler Gateway.
Password and token field in Receiver change their order after authenticating on NetScaler Gateway...
CVE-2017-17561
SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/adminping.php, which interacts with data/admin/ping.php...
Code injection
SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/adminping.php, which interacts with data/admin/ping.php...
OhMiBod Remote app for Android and iOS User Impersonation Vulnerability
OhMiBod Remote app for Android and iOS is a wireless remote control app for Android and iOS based platforms. A security vulnerability exists in the OhMiBod Remote app for Android and iOS based platforms. A remote attacker can exploit the vulnerability by sniffing network traffic and editing the...
CVE-2016-3188
The prepopulaterequestwalk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the 1 actions, 2 container, 3 token, 4 password, 5 passwordconfirm, 6 textformat, or 7 markup field type, and consequently have unspecified impact, via unspecified...