44 matches found
CVE-2024-36377
In JetBrains TeamCity before 2024.03.2 certain TeamCity API endpoints did not check user permissions...
Code injection
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/membercount API resulting in channel member counts being leaked to a user without permissions...
Authorization Bypass
quarkus-smallrye-graphql is vulnerable to Authorization Bypass. The vulnerability is due to doHandle function in SmallRyeGraphQLOverWebSocketHandler.java file there are no checks to ensure that the user is authenticated or authorized to access the GraphQL endpoint. This allows an attacker to acce...
CVE-2023-6394
CVE-2023-6394 describes an authorization bypass in Quarkus where a websocket GraphQL operation can be processed without authentication if no role-based permission is specified. This allows potential access to information and functionality beyond the granted API permissions. The NVD entry lists a ...
CVE-2023-6394
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...
PT-2023-3712 · Google +2 · Google Chrome +2
Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 115.0.5790.98 Description: The issue is related to an inappropriate implementation in Web API Permission Prompts in Google Chrome, which may allow a remote attacker to obfuscate security UI via a crafted HTML...
Kimsuky Hackers Spotted Using 3 New Android Malware to Target South Koreans
The North Korean espionage-focused actor known as Kimsuky has been observed using three different Android malware strains to target users located in its southern counterpart. That's according to findings from South Korean cybersecurity company S2W, which named the malware families FastFire,...
CVE-2022-1502
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions...
CVE-2022-1502
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions...
CVE-2022-1003 Sysadmin can override existing configs & bypass restrictions like EnableUploads
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads...
PT-2021-4011 · Icingadb +4 · Icingadb +7
Name of the Vulnerable Software and Affected Versions: Icinga versions prior to 2.11.10 Icinga versions 2.12.0 through 2.12.4 Description: The issue concerns the exposure of credentials for external services through the API to authenticated API users with read permissions for the corresponding...
OpenEMR < 5.0.2.2 Multiple Vulnerabilities
OpenEMR is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:open-emr:openemr"; ifdescription...
Design/Logic Flaw
Incorrect permissions are set by default for an API entry-point of a specific service, allowing a non-authenticated user to trigger a function that could reboot the CompactRIO Driver versions prior to 20.5 remotely...
CVE-2019-20887
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts...
Design/Logic Flaw
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts...
CVE-2019-20887
An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts...
CVE-2019-20887
Mattermost Server versions affected: before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. The issue is that flags API permissions are not honored when deciding whether a user can receive intra‑team posts. Root cause and exact impact are not deeply elaborated in the provided documents beyond this behavior, but...
CVE-2020-2191
Jenkins Self-Organizing Swarm Plug-in Modules Plugin 3.20 and earlier does not check permissions on API endpoints that allow adding and removing agent labels...
Description of the security update for SharePoint Server 2019: September 10, 2019
Description of the security update for SharePoint Server 2019: September 10, 2019 Summary This security update resolves a remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package. To learn more about this...
CVE-2018-8134
An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions, aka "Windows Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers...