7 matches found
GHSA-6RVW-7P8V-MJFQ AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction
Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the users.json.php process. An attacker can access sensitive personal and financial information of all users by sending authenticated...
CVE-2026-34395
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...
CVE-2025-65278
An issue was discovered in file users.json in GroceryMart commit 21934e6 2020-10-23 allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords...
PT-2025-48185
Name of the Vulnerable Software and Affected Versions GroceryMart versions prior to commit 21934e6 2020-10-23 Description An issue exists in the users.json file that allows unauthenticated attackers to obtain sensitive information, including plaintext usernames and passwords. The affected commit ...
GroceryMart 安全漏洞
GroceryMart is an online grocery store platform by the individual developer Komal Bansal. A security vulnerability exists in GroceryMart, which stems from an issue with the file users.json, which could lead to an unauthenticated attacker obtaining sensitive information such as usernames and...
Generex UPS Adapter CS141 Improper Input Validation (CVE-2022-47192)
Generex UPS CS141 below 2.06 version, could allow a remote attacker to upload a backup file containing a modified users.json to the web server of the device, allowing him to replace the administrator password. This plugin only works with Tenable.ot. Please visit...