6 matches found
get.gov 安全漏洞
get.gov is an open-source domain registration management tool provided by the Cybersecurity and Infrastructure Security Agency of the United States of America. There is a security vulnerability in get.gov; this vulnerability stems from the ability for organizational administrators to assign domai...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetUserRoles API endpoint. An attacker can access ACL policies for any user across all organizations by supplying specific Name and Org parameters in a network request. Remediatio...
CVE-2026-7573
An authorization bypass CWE-639 in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy roles and permissions for any user across all organizations by supplying targeted Name and Org...
CVE-2026-6290 Velociraptor Query() Plugin Misapplies Permissions To Orgs
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query plugin, in a notebook cell, to run VQL queries on other orgs which th...
Lunary 安全漏洞
Lunary is an open-source production toolkit for LLMs developed by Lunary. Version 1.2.13 of Lunary contains a security vulnerability. This vulnerability stems from insufficient access control granularity, allowing users to delete prompts created by other organizations using their IDs, resulting i...
foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization
It was found that foreman in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations...