CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

CVE-2020-37106 Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

PT-2026-6814

Name of the Vulnerable Software and Affected Versions Business Live Chat Software version 1.0 Description The software contains a cross-site request forgery condition that permits attackers to alter user account roles without needing to authenticate. An attacker can create a malicious HTML form t...

Incorrect Authorization

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

OneUptime Unauthorized User Creation via API

Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. PoC A low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully. Impact This allows attacke...

EUVD-2025-6873

Malicious code in bioql PyPI...

UnoPim vulnerable to remote code execution through Arbitrary File upload

Summary: Affected Functionality: Image upload at User creation Endpoint: /admin/settings/users/create Details The image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy lik...

GHSA-XR97-25V7-HC2Q UnoPim has Stored Cross-site Scripting vulnerability in user creation functionality

Summary Affected Functionality: User creation Endpoint: /admin/settings/users/create Details https://github.com/unopim/unopim/blob/a0dc81947a59ada69e19e1e4313dd591d4e277b4/packages/Webkul/Core/src/Traits/Sanitizer.phpL9-L19 See the mimetype is checked for validation. Mime-type is usually identifi...

CVE-2025-6775

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function createuser of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible ...

CVE-2025-6775

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function createuser of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible ...

CVE-2025-6775

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function createuser of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible ...

CVE-2025-6775 xiaoyunjie openvpn-cms-flask User Creation Endpoint openvpn.py create_user command injection

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function createuser of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible ...

CVE-2025-6775 xiaoyunjie openvpn-cms-flask User Creation Endpoint openvpn.py create_user command injection

A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function createuser of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible ...

CVE-2021-38617

In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/ user creation endpoint allows a standard user to create a super user account with a defined password. This directly leads to privilege escalation...

CVE-2025-4012

A vulnerability was found in playeduxyz PlayEdu 开源培训系统 up to 1.8 and classified as problematic. This issue affects some unknown processing of the file /api/backend/v1/user/create of the component User Avatar Handler. The manipulation of the argument Avatar leads to server-side request forgery. Th...

PlayEdu 代码问题漏洞

PlayEdu is an industry-leading online training solution from the China PlayEdu team. A code issue vulnerability exists in PlayEdu 1.8 and earlier versions, which stems from a server-side request forgery due to incorrect operation of the parameter Avatar in the file /api/backend/v1/user/create...

CVE-2024-9098

In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from invitin...