249 matches found
CVE-2025-7886
A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument userid leads to sql injection. It...
SourceCodester Best Salon Management System 注入漏洞
SourceCodester Best Salon Management System is SourceCodester open source a salon management system. SourceCodester Best Salon Management System version 1.0 has an injection vulnerability, the vulnerability stems from the wrong operation of the parameter userid/planid in the file...
CVE-2025-6502
A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /phpaction/changePassword.php. The manipulation of the argument userid leads to sql injection. The attack can be initiated remotely. The...
CVE-2025-6160 SourceCodester Client Database Management System user_customer_create_order.php sql injection
A vulnerability, which was classified as critical, has been found in SourceCodester Client Database Management System 1.0. This issue affects some unknown processing of the file /usercustomercreateorder.php. The manipulation of the argument userid leads to sql injection. The attack may be initiat...
CVE-2023-1035
A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been classified as critical. Affected is an unknown function of the file updateuser.php. The manipulation of the argument userid leads to sql injection. It is possible to launch the attack remotely. The...
CVE-2019-13189
In Knowage through 6.1.1, there is XSS via the starturl or userid field to the ChangePwdServlet page...
CVE-2008-7309
Insoshi before 20080920 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the ForumPost userid value via a modified URL, related to a "mass assignment" vulnerability...
CVE-2024-7040
...
CVE-2024-7040
Open WebUI (open-webui/open-webui) v0.3.8 contains an improper access control vulnerability on the frontend admin page. An administrator can view chats of other administrators by altering the user_id parameter, exposing admin chat logs. The issue is documented in Red Hat’s CVE entry and mirrored ...
CVE-2024-7040 Improper Access Control in open-webui/open-webui
In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the userid parameter, it is possible to view the chats of any administrator,...
CVE-2025-1831 zj1983 zz ZorgAction.java GetDBUser sql injection
A vulnerability classified as critical has been found in zj1983 zz up to 2024-8. Affected is the function GetDBUser of the file src/main/java/com/futvan/z/system/zorg/ZorgAction.java. The manipulation of the argument userid leads to sql injection. It is possible to launch the attack remotely. The...
CVE-2025-1831
Affects zj1983 zz (versions up to 2024-8). The GetDBUser function in src/main/java/com/futvan/z/system/zorg/ZorgAction.java is vulnerable to SQL injection via the user_id argument. The issue can be exploited remotely, and public disclosure exists. Multiple connected sources (Red Hat, CVE feeds, C...
CVE-2024-12124
Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-54290. Reason: This candidate is a reservation duplicate of CVE-2024-54290. Notes: All CVE users should reference CVE-2024-54290 instead of this candidate. All references and descriptions in this candidate have been...
CVE-2024-12124
...
CVE-2024-12124
...
CVE-2024-12124
This CVE-2024-12124 entry is rejected/not used and does not represent an active vulnerability.
TeamPass privileges issue
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different userid...
CVE-2024-50703
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different userid...
CVE-2024-10793
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...
CVE-2024-10793 WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...