11 matches found
CVE-2026-53725
Parse Server up to version 9.9.1-alpha.5 contains a vulnerability in MFA handling: when _User get is denied by Class-Level Permissions, the /login and /verifyPassword endpoints may bypass CLP/protectedFields sanitization and return raw database rows, exposing MFA data (MFA TOTP secrets and recove...
CVE-2026-4190
A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...
CVE-2026-4190 JawherKl node-api-postgres user.js User.getAll sql injection
A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...
CVE-2026-4190
A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...
CVE-2026-4190
JawherKl node-api-postgres (up to 2.5) is affected by a SQL injection in User.getAll (models/user.js) caused by unsafely manipulated sort argument. The vulnerability allows remote execution, and public exploit code is available. Vendor was contacted but no response. No remediation details are pro...
CVE-2020-36968
M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...
CVE-2025-27236 User information disclosure via api_jsonrpc.php on method user.get with param search
A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to...
CVE-2024-42325 Excessive information returned by user.get
Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc...
CVE-2024-44808
An issue in Vypor Attack API System v.1.0 allows a remote attacker to execute arbitrary code via the user GET parameter...
CVE-2022-38599
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface...
PT-2022-24474
Name of the Vulnerable Software and Affected Versions Teleport versions 3.2.2 through 3.6.3-b2 Description The issue is an information leak via the "/user/get-role-list" web interface. This leak was discovered in the specified versions of Teleport. There is no information provided about the...