SUSE-SU-2025:02016-1 Security update for screen

This update for screen fixes the following issues: Security issues fixed: - CVE-2025-46802: temporary chmod of a user's TTY to mode 0666 when attempting to attach to a multi-user session allows for TTY hijacking bsc1242269. Other issues fixed: - Use TTY file descriptor passing after a suspend...

Beyond the Scope: Security Testing of Permission Management in Team Workspace

Nowadays team workspaces are widely adopted for multi-user collaboration and digital resource management. To further broaden real-world applications, mainstream team workspaces platforms, such as Google Workspace and Microsoft OneDrive, allow third-party applications referred to as add-ons to be...

CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-use...

CVE-2025-49136

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-use...

CVE-2025-49136

CVE-2025-49136 affects Listmonk before v5.0.2 where Sprig template functions env and expandenv are enabled by default, enabling non-super-admin users (with campaign/template permissions) to read host environment variables via campaign previews. Public reports and the connected Metasploit auxiliar...

Fess has Insecure Temporary File Permissions

Summary Fess an open-source Enterprise Search Server creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files. Details The createTempFile method in org.codelibs.fess.helper.SystemHelper creates temporary file...

CVE-2025-48382 Fess has Insecure Temporary File Permissions

Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local...

CVE-2024-34664

Improper check for exception conditions in Knox Guard prior to SMR Oct-2024 Release 1 allows physical attackers to bypass Knox Guard in a multi-user environment...

CVE-2024-32478

Git Credential Manager GCM is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0...

CVE-2024-3101

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...

CVE-2024-20802

Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment...

CVE-2023-29011

Git for Windows, the Windows port of Git, ships with an executable called connect.exe, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of connect.exe's config file is hard-coded as...

CVE-2023-21289

In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2022-20263

In ActivityManager, there is a way to read process state for other users due to a missing permission check. This could lead to local information disclosure of app usage with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Andro...

CVE-2020-23837

A Cross-Site Request Forgery CSRF vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin or other users after an authenticated admin visits a third-party site or clicks on a URL...

Nextcloud Server Insecure Temporary File Creation Vulnerability (GHSA-q568-2933-gcjq)

Nextcloud Server is prone to an insecure temporary file creation vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-47794

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud...

CVE-2025-47794 Nextcloud Server vulnerable to insecure temporary file creation, race with write access and permission

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud...

CVE-2025-47794

CVE-2025-47794 affects Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1, and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1. An attacker on a multi-user system may read temporary files from Nextcloud running under a different user account ...

CVE-2025-47794 Nextcloud Server vulnerable to insecure temporary file creation, race with write access and permission

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud...