4 matches found
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
Summary Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed. Verified against the latest version. Discord: sagi03581 Steps t...
CVE-2026-23964 Mastodon has insufficient access control to push notification settings
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining th...
GHSA-X744-MM8V-VPGR Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
MTN Group: Information disclosure via enabled Django Debug Mode
The Django Debug Mode was enabled, which resulted in the disclosure of error messages, API endpoints, and the ability to register arbitrary user accounts and enumerate email addresses of registered users...