PT-2024-19338 · 2Code · Himer

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned Description: The issue lacks CSRF checks, allowing a user to invite any user to any group, including private groups. Recommendations: At the moment, there is no information about a newer version that...

CVE-2024-5127

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...

CVE-2024-5127 Improper Access Control in lunary-ai/lunary

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...

CVE-2024-5127

CVE-2024-5127 affects lunary-ai/lunary versions 1.2.2–1.2.25 and describes an improper access-control vulnerability in the Team feature. The backend does not validate whether a user has paid for a plan before allowing invites with roles, enabling Free-plan users to invite members and assign roles...

PT-2024-34584 · Lunary · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions 1.2.2 through 1.2.25 Description: The issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not...

Jcow Social Network Cross Site Scripting Vulnerability

Exploit Title: Jcow Social Networking 14.2 3 After Send invitations you will be see alert button...

CVE-2024-2913

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

CVE-2024-2913

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

PT-2024-22751 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: anything-llm affected versions not specified Description: A race condition vulnerability exists in the user invite acceptance process, allowing attackers to create multiple user accounts from a single invite link by sending multiple concurren...

GHSA-W67V-PH4X-F48Q Mattermost Server Improper Access Control

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

CVE-2024-29221 Invite ID available to team admins even without the "Add Members" permission

Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the /api/v4/users/me/teams endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users,...

CVE-2024-29221

CVE-2024-29221 (Mattermost Server) describes improper access control in the /api/v4/users/me/teams endpoint, where a team admin could obtain the team invite ID and invite users despite lacking the Add Members permission. Affected versions include 8.1.x before 8.1.11, 9.x before 9.3.3/9.4.4/9.5.2....

Mattermost Server 安全漏洞

Mattermost Server is an open source messaging platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost Server versions prior to 9.5.2, prior to 9.4.4, prior to 9.3.3, and prior to 8.1.11, which stems from a lack of proper access control in /api/v4/, where...

BIT-DISCOURSE-2024-27085 Denial of service through invites in Discourse

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. User...

CVE-2024-27085

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. User...

CVE-2024-27085 Denial of service through invites in Discourse

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. User...

CVE-2024-27085 Denial of service through invites in Discourse

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. User...

CVE-2024-27085 Denial of service through invites in Discourse

Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. User...