CVE-2025-31478 Zulip Authentication Backend Configuration Bypass

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being requir...

PT-2025-16904

Name of the Vulnerable Software and Affected Versions Zulip versions prior to 10.2 Description A bug in the Zulip server allows account creation without authenticating with the configured Single Sign-On SSO authentication backend in organizations where account creation is limited solely by SSO...

ROS-20250214-01

A vulnerability in the Grafana web-based data submission tool is related to the ability to delete pending pending invitations. Exploitation of the vulnerability could allow an attacker acting remotely, modify arbitrary data...

CVE-2022-21706

Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation...

CVE-2022-39356

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is...

CVE-2025-22608 Coolify Vulnerable to Revocation of Arbitrary Team Invitations (DOS)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID,...

CVE-2025-22608

Coolify (before 4.0.0-beta.361) suffers from missing authorization that lets any authenticated user revoke arbitrary team invitations by providing a predictable, incrementing ID, enabling Denial of Service. A patch is available in 4.0.0-beta.361. The issue’s description across multiple sources co...

CVE-2025-22608 Coolify Vulnerable to Revocation of Arbitrary Team Invitations (DOS)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID,...

Coolify 安全漏洞

Coolify is an open source and self-hosted alternative to Heroku/Netlify/Vercel. coolLabs Coolify suffers from a denial of service vulnerability that stems from the fact that any authenticated user can revoke any team invitation on an instance by simply providing a predictable incremental ID, whic...

PT-2025-4594 · Coolify · Coolify

Name of the Vulnerable Software and Affected Versions: Coolify versions prior to 4.0.0-beta.361 Description: The issue is related to missing authorization in Coolify, allowing any authenticated user to revoke team invitations by providing a predictable and incrementing ID. This can result in a...

CVE-2025-22449

Mattermost versions 9.11.x = 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allowopeninvite" field via making their team public...

Element Synapse 安全漏洞

Element Synapse is an open source Matrix Home Server implementation from Element Open Source. A security vulnerability exists in Element Synapse that stems from the inability to properly validate invitations received via federation...

Grafana 安全漏洞

Grafana is a set of open source monitoring tools from Grafana open source that provides a visual monitoring interface. The tool is primarily used to monitor and analyze Graphite, InfluxDB, and Prometheus, among others. A security vulnerability exists in Grafana 10.4.0 and earlier versions, which...

CVE-2024-2232

CVE-2024-2232 corresponds to the Himer WordPress Theme CSRF issue: lack of CSRF checks allows inviting any user to any group (including private groups). PatchSTACK notes vulnerable versions are

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that stems from a failure to disable unsolicited invitations to publicize access to a local channel when the shared channel is enabled, which allows a...

CVE-2024-39031

In Silverpeas Core = 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when...

CVE-2024-2233

The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group...

CVE-2024-2233

Affected software/impact: Himer WordPress theme prior to 2.1.1 contains CSRF vulnerabilities in group-management actions (e.g., declining/accepting invitations, leaving a group). The root cause is missing CSRF checks in certain areas, enabling logged-in users to be targeted via CSRF attacks. Vers...

PT-2024-19343 · Himer · Himer

Name of the Vulnerable Software and Affected Versions: Himer WordPress theme versions prior to 2.1.1 Description: The issue concerns the lack of CSRF checks in certain areas, allowing attackers to perform unwanted actions on logged-in users through CSRF attacks. This includes actions such as...

CVE-2024-5132

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...