CVE-2026-44501

DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend datahub-frontend-react deserializes attacker-controlled Java objects from the REDIRECTURL HTTP cookie during the OIDC callback flow, with no integrity protection no HMAC, no encryption. This is a Deserialization o...

EUVD-2001-1319

Malware in sbrugna...

CVE-2025-29757

CVE-2025-29757 involves an incorrect authorization check in the Growatt cloud service’s plant transfer function. The vulnerability allows a malicious user with a valid account to transfer any plant into their own account, due to insufficient access control. Affected component: Growatt cloud servi...

CVE-2025-1723

CVE-2025-1723 affects Zohocorp ManageEngine ADSelfService Plus versions 6510 and earlier. The root cause is session mishandling in ADSelfService Plus, which can enable account takeover by valid users, especially when MFA is not enabled. Multiple connected sources (Red Hat advisory, NVD/NCSC/CVE r...

CVE-2025-1723 Account takeover

Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug...

PT-2024-40534 · Packagist · Typo3/Cms-Core

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The issue allows existing sessions for a user account to remain active even after the user changes their password. To exploit this, an attacker would need a valid user account, either...

CVE-2023-33229

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML...

PT-2023-15383 · Solarwinds · Solarwinds Platform

Name of the Vulnerable Software and Affected Versions: SolarWinds Platform affected versions not specified Description: The issue allows a remote adversary with a valid SolarWinds Platform account to inject HTML by appending URL parameters. This is due to the Incorrect Input Neutralization...

CVE-2022-43947

An improper restriction of excessive authentication attempts vulnerability CWE-307 in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-forc...

Observable Response Discrepancy in Password Reset Functionality

Description The password reset functionality leaks information pertaining to use accounts. Where an invalid account is utilized, the application responds that the account could not be found. Where an account is valid, the application responds with a reason "base.success" when intercepted, or that...

SUSE CVE-2020-5504

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server...

Cisco Anyconnect Secure Mobility Client 竞争条件问题漏洞

Cisco Anyconnect Secure Mobility Client is a VPN client software for secure connectivity from Cisco. The Cisco AnyConnect Secure Mobility Client suffers from a Competitive Condition Issue vulnerability that arises from a competitive condition during signature verification of shared library files...

CVE-2019-10934

A vulnerability has been identified in TIA Portal V14 All versions, TIA Portal V15 All versions V15.1 Update 7, TIA Portal V16 All versions V16 Update 6, TIA Portal V17 All versions V17 Update 4. Changing the contents of a configuration file could allow an attacker to execute arbitrary code with...

CVE-2019-19020

An issue was discovered in TitanHQ WebTitan before 5.18. In the administration web interface it is possible to upload a crafted backup file that enables an attacker to execute arbitrary code by overwriting existing files or adding new PHP files under the web root. This requires the attacker to ha...

CVE-2019-14474

eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in function 'Call' of ReGa core logic process, resulting in the ability to start a Denial of Service. Due to Improper Authorization an attacker can obtain a session ID from CVE-2019-9583 or a valid guest/user/admin account can...

CVE-2019-2484

Vulnerability in the Application Express component of Oracle Database Server. Supported versions that are affected are 5.1 and 18.2. Easily exploitable vulnerability allows low privileged attacker having Valid Account privilege with network access via HTTP to compromise Application Express...

EMC Unified Infrastructure Manager/Provisioning Authentication Bypass Vulnerability

EMC Unified Infrastructure Manager is a manager built for converged infrastructures that automates the configuration, provisioning, viewing of topology, monitoring of events and availability. A security vulnerability exists in the use of LDAP authentication for EMC UIM configurations, which allow...

CVE-2015-0532

EMC RSA Identity Management and Governance IMG 6.9 before P04 and 6.9.1 before P01 does not properly restrict password resets, which allows remote attackers to obtain access via crafted use of the reset process for an arbitrary valid account name, as demonstrated by a privileged account...

Oracle Database Server has a remote vulnerability (CNVD-2015-02520)

Oracle Database is a large database of commercial nature. A remote vulnerability exists in Oracle Database Server that allows an attacker to gain 'Valid account' privileges using the 'Oracle Net' protocol...

Oracle Database Server Remote Vulnerability (CNVD-2015-00490)

Oracle Database is a large database of commercial nature. A remote vulnerability exists in Oracle Database Server that allows an attacker to gain 'Valid account' privileges using the 'HTTP' protocol...