262 matches found
CVE-2024-36467 Authentication privilege escalation via user groups due to missing authorization checks
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-36467 Authentication privilege escalation via user groups due to missing authorization checks
An authenticated user with API access e.g.: user with default User role, more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group e.g.: Zabbix Administrators, except to groups that are disabled or having restricted GUI access...
CVE-2024-9574 SQL Injection vulnerability in SOPlanning
SQL injection vulnerability in SOPlanning 1.45, via /soplanning/www/usergroupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB...
unable to hide Published desktop for specific client device/domain groups via BrokerAccessPolicy
unable to hide Published desktop for specific client device/domain groups via BrokerAccessPolicy Limit visibility in a delivery group for specific user/client...
CVE-2024-2232
CVE-2024-2232 corresponds to the Himer WordPress Theme CSRF issue: lack of CSRF checks allows inviting any user to any group (including private groups). PatchSTACK notes vulnerable versions are
GO-2024-2744 Access control change may take longer than expected in github.com/authelia/authelia/v4
If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to...
BIT-MYBB-2021-27948
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. issue 3 of 3...
Code injection
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups...
FOGProject Path Traversal Vulnerability
FOGProject is a free open source network computer cloning and management solution. It can be used to deploy and manage any desktop operating system. A path traversal vulnerability exists in versions of FOGProject prior to 1.5.10, which stems from the fact that endpoints that provide limited...
Chamilo 跨站脚本漏洞
Chamilo LMS is an open source online learning and collaboration system from the Chamilo Association. The system supports the creation of instructional content, distance training, and online question and answer sessions. A security vulnerability exists in Chamilo version 1.11.x through versions...
bloofoxCMS SQL注入漏洞
bloofoxCMS is bloofox bloofoxCMS individual developers of a Php-based text content management system. A security vulnerability exists in bloofoxCMS version v0.5.2.1, which originates from the gid parameter found to contain an SQL injection vulnerability via...
CVE-2023-34751
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit...
Liferay Portal 6.2.5 Insecure Permissions
Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ Date: 2021/05 Exploit Author: fu2x2000 Version: Liferay Portal 6.2.5 or later CVE : CVE-2021-33990 import requests import json print " Search this on Google Dork for...
Liferay Portal 6.2.5 - Insecure Permissions Exploit
Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ Exploit Author: fu2x2000 Version: Liferay Portal 6.2.5 or later CVE : CVE-2021-33990 import requests import json print " Search this on Google Dork for liferay...
Liferay Portal 6.2.5 - Insecure Permissions
Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ Date: 2021/05 Exploit Author: fu2x2000 Version: Liferay Portal 6.2.5 or later CVE : CVE-2021-33990 import requests import json print " Search this on Google Dork for...
[SECURITY] Fedora 38 Update: sudo-1.9.13-1.p2.fc38
Sudo superuser do allows a system administrator to give certain users or groups of users the ability to run some or all commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict...
Multiple cross-site scripting vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in User management CWE-79 - CVE-2022-39325 Stored cross-site scripting vulnerability in Permission Settings CWE-79 - CVE-2022-41994...
CVE-2022-41688
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to th...
Authentication flaw
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to th...
CVE-2022-41688
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to th...