WordPress Download Manager plugin <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword vulnerability

Unauthenticated Limited Privilege Escalation via updatePassword vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Download Manager versions = 3.3.40...

EUVD-2025-13573

Malicious code in bioql PyPI...

CVE-2023-27576

An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified...

CVE-2025-40624

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and...

CVE-2025-40624

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and...

CVE-2025-40624 Multiple vulnerabilities in TCMAN's GIM

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and...

CVE-2025-40624 Multiple vulnerabilities in TCMAN's GIM

SQL injection in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to inject an SQL statement to obtain, update and delete all information in the database. This vulnerability was found in each of the following parameters according to the vulnerability identifier ‘User’ and...

CVE-2025-40624

TCMAN’s GIM v11 is affected by a SQL injection in the updatePassword endpoint, exploitable by an unauthenticated attacker via the vulnerable parameters User and email . The root cause is unvalidated input leading to the ability to obtain, update, and delete all information in the database. The vu...

PT-2025-19920 · Tcman · Tcman'S Gim

Name of the Vulnerable Software and Affected Versions: TCMAN's GIM version 11 Description: This issue allows an unauthenticated attacker to inject an SQL statement to obtain, update, and delete all information in the database. The vulnerability is found in the updatePassword endpoint, specificall...

CVE-2022-30358

OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required...

CVE-2022-30358

OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required...

CVE-2023-27576

An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified...

CVE-2023-27576

An issue was discovered in phpList before 3.6.14. Due to an access error, it was possible to manipulate and edit data of the system's super admin, allowing one to perform an account takeover of the user with super-admin permission. Specifically, for a request with updatepassword=1, a modified...

PT-2023-21218 · Phplist · Phplist

Name of the Vulnerable Software and Affected Versions: phpList versions prior to 3.6.14 Description: An issue was discovered due to an access error, allowing manipulation and editing of the system's super admin data, which enables an account takeover of the user with super-admin permission...

Schneider Electric APC Easy UPS Online updatePassword Authentication Bypass Vulnerability

This vulnerability allows remote attackers to bypass authentication on affected installations of Schneider Electric APC Easy UPS Online. Authentication is not required to exploit this vulnerability. The specific flaw exists within the updatePassword function. The issue results from the lack of...

Click Studios Passwordstate 安全漏洞

Click Studios Passwordstate passwordstate is a password management software from the Click Studios team in Australia. The program provides users with the ability to save their passwords, record their accounts and passwords, and keep them safe. This program provides you with the ability to save yo...

Insufficient Session Expiration

derhansen/fechangepwd uses insecure session management. The vulnerability exists because the updatePassword functions in FrontendUserService.php fails to revoke existing sessions for the current user when the password has been changed, allowing an attacker to bypass the authentication mechanism...

Crestron Multiple Products CTP Console UPDATEPASSWORD Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Crestron's Android-based products. Authentication is required to exploit this vulnerability. The specific flaw exists within the UPDATEPASSWORD command of the CTP console. The issue results from th...