9 matches found
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Impact Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use. Patches Fixed in v0.26.0 Workarounds Disable use of email dropbox...
Authorization Bypass Through User-Controlled Key
Overview fatfreecrm is a customer relationship management platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the destroy action in app/controllers/emailscontroller.rb. An attacker can delete another user’s email record by sending...
PT-2026-28385
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description Open WebUI is an artificial intelligence platform designed for offline operation. A missing access control check when deleting files from a knowledge base allows a user with write access to a...
CVE-2025-70150
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in deletemembers.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter...
CVE-2025-70150
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in deletemembers.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter...
CVE-2025-70150
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter. The CVE-2025-70150 entry uses a network-exposed, unauthenticated path with high impact to...
CVE-2025-66556 Nextcloud talk allows participants to blindly delete poll drafts of other users by ID
Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2...
Participants were able to blindly delete poll drafts of other users by ID
None...
Nextcloud: Participants were able to blindly delete poll drafts of other users by ID
Participants were able to blindly delete poll drafts of other users by ID...