39 matches found
CVE-2025-26376
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated low-privileged attacker to modify user data via crafted HTTP requests...
CVE-2025-26376
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated low-privileged attacker to modify user data via crafted HTTP requests...
CVE-2025-26376
CVE-2025-26376 concerns Q-Free MaxTime
CVE-2025-26376
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated low-privileged attacker to modify user data via crafted HTTP requests...
CVE-2024-46310
Incorrect Access Control in Cfx.re FXServer v9601 and earlier allows unauthenticated users to modify and read arbitrary user data via exposed API endpoint...
Hardcoded credentials
Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines...
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier and 2.4.4-p3 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user...
GHSA-F989-3FP9-Q3R2 Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier and 2.4.4-p3 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user...
CVE-2023-29288 Adobe Commerce | Incorrect Authorization (CWE-863)
Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier and 2.4.4-p3 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user...
CVE-2022-34621
Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference IDOR vulnerability which allows attackers to modify user passwords and other attributes via modification of the userid parameter...
SQL Injection Vulnerability in Shield Spirit Voting Voter System for Front-end User Modification Data
Shield Spirit Voting Powder Sucking System can be applied to the public number, through the WeChat public number of the message interface to collect the user to send the vote number of the data to reach the vote, with anti-brush voting voting function, but also efficiently suck the live powder...
Parallel Override Vulnerability in SDCMS v1.6
SDCMS era website information management system is a product of Suzhou Fireworks Network Technology Co., Ltd. to asp + access for the development of the portal system. SDCMS v1.6 has a parallel override vulnerability. Attackers can use the vulnerability to illegally modify the user release...
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)
Monstra-Dev 3.0.4 - Cross-Site Request Forgery Account Hijacking Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Request ForgeryAccount Hijacking Date: 2018-08-04 Exploit Author: Nainsi Gupta Vendor Homepage: http://monstra.org/ Product Name: Monstra-dev Version: 3.0.4 Tested on: Windows 10...
WityCMS 0.6.2 Cross Site Request Forgery
...
WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)
input t...
CVE-2017-18042
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery CSRF vulnerability...
KPPW最新版SQL注入漏洞,修补不严
简要描述: KPPW最新版SQL注入漏洞,修补不严 详细说明: 1.看了http://wooyun.org/bugs/wooyun-2010-086216。这篇帖子,正巧也在审计KPPW,也就去看了用一下最新版对于爆出问题的修补方式。最新版为了防止该漏洞,添加了一个验证。 if$gUserInfo'uid' != $pk'uid' kekezu::showmsg'无权操作',NULL,NULL,NULL,'error'; return false; 2.$gUserInfo'uid'是用户id,是我们不可控的。所以这里不能再用xfkxfk大牛的方法构造uid了。那么我们再看一下save函...
Kesion ICMS智能建站系统多处权限绕过,可修改任意用户密码
简要描述: Kesion ICMS2.5智能建站系统存在多处权限绕过 详细说明: Kesion ICMS智能建站系统多处权限绕过,修改任意用户资料,并可修改任意用户密码。 漏洞证明: 系统官网:http://www.kesion.com/ 系统演示站点:http://i.kesion.com/ 为了演示漏洞,注册了用户名为test1和test2的两个用户。 漏洞一、修改任意用户基本资料: 1、登录test1用户--》会员中心--》修改我的资料。 2、使用代理拦截请求,修改cookie中的username字段为被攻击的用户名: 3、登录被攻击用户,用户资料被修改 漏洞二、修改任意用户绑定手...
DEBIAN-CVE-2009-4076
Cross-site request forgery CSRF vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077...