CVE-2024-25625

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...

Huaxia ERP Authorization Issues Vulnerability

Huaxia ERP is an ERP software from Huaxia, China. Huaxia ERP 3.1 and prior versions have an authorization issue vulnerability that originates from the file src/main/java/com/jsh/erp/controller/UserController.java that can lead to weak password recovery...

CVE-2023-38989

An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information...

Codefever 安全漏洞

CodeFever is a fully open source Git code hosting service from PGYER Open Source. A security vulnerability exists in CodeFever versions prior to 2023.2.7-commit-b1c2e7f, which stems from the component /controllers/api/user.php containing a remote code execution RCE issue...

CVE-2022-46999

Tuzicms v2.0.6 was discovered to contain a SQL injection vulnerability via the component \App\Manage\Controller\UserController.class.php...

CVE-2022-4511 RainyGao DocSys path traversal

A vulnerability has been found in RainyGao DocSys and classified as critical. Affected by this vulnerability is an unknown functionality of the component com.DocSystem.controller.UserControllergetUserImg. The manipulation leads to path traversal: '../filedir'. The attack can be launched remotely...

showdoc 跨站请求伪造漏洞

ShowDoc is an open source tool for IT teams to share documents online. ShowDoc is vulnerable to cross-site request forgery, which stems from the lack of effective filtering and restriction of cookies set in the software's UserController.class.php, and can be exploited by attackers to cause...

GHSA-WC73-W5R9-X9PC Cross-site Scripting in XXL-JOB

XXL-JOB 2.2.0 allows Stored XSS in Add User to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java...

Cross-site Scripting in XXL-JOB

XXL-JOB 2.2.0 allows Stored XSS in Add User to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java...

xxl-job Information Disclosure Vulnerability

xxl-job is a distributed task scheduling platform with core design goals of rapid development, simple learning, lightweight, and easy scalability. An information disclosure vulnerability exists in xxl-job 2.2.0, which can be exploited by an attacker to obtain username, model, and password...

CVE-2020-9456

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users with minimal privileges to elevate their privileges to administrator via classrmusercontroller.php rmuseredit...

CVE-2020-9456

In the RegistrationMagic plugin through 4.6.0.3 for WordPress, the user controller allows remote authenticated users with minimal privileges to elevate their privileges to administrator via classrmusercontroller.php rmuseredit...

SQL Injection in marginalia

marginalia 1.6 is affected by SQL Injection. The impact is an injection of any SQL queries when a user controller argument is added as a component. This issue affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is inputting of SQL to...

SQL injection vulnerability via Marginalia::Comment

The 'marginalia' gem is affected by a SQL Injection vulnerability. All SQL queries are affected when a user controller argument is added as a component. This affects users that add a component that is user controller, for instance a parameter or a header. The issue is resolved in version 1.6...

SQL Injection

marginalia is vulnerable to sql injections. The vulnerability exists in an unknown functionality of User Controller in marginalia. An attacker might be able to inject an SQL to a vulnerable vector header, http parameter, etc or change existing SQL statements which would modify the database...

CVE-2019-1010191

marginalia 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector...

Sql injection

marginalia 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector...

CVE-2019-1010191

CVE-2019-1010191 affects the Ruby gem marginalia (and related advisories) before version 1.6. The vulnerability is SQL Injection: if a user controller argument is used as a component (e.g., a parameter or header), an attacker can inject arbitrary SQL queries via a vulnerable vector (header, HTTP ...

CVE-2019-3576

inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATHINFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserControllerdeleteFavorite aka deleteFavorite in...

CVE-2018-20508

CrashFix 1.0.4 has SQL Injection via the Userstatus parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search function...