e-learning.igacloud.net Cross Site Scripting vulnerability OBB-3751046

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

PT-2023-6722 · Ilias · Ilias

Name of the Vulnerable Software and Affected Versions: ILIAS version 7.25 Description: The issue exists due to incorrect restriction of the path name to a directory with limited access in the Learning Module component of the ILIAS learning management system. Exploitation of this issue may allow a...

CLUEVO LMS, E-Learning Platform < 1.11.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

Frappe Learning Management System Cross-Site Scripting Vulnerability

Frappe Learning Management System is an easy to use open source learning management system from Frappe Open Source. A cross-site scripting vulnerability exists in Frappe Learning Management System. An attacker could exploit this vulnerability to perform cross-site scripting attacks...

CVE-2023-41882

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/id/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version...

CVE-2023-28635

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...

Design/Logic Flaw

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...

PYSEC-2023-200

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources such as tasks from that collaboration should be deleted. This is partly to manage data properly, but also to prevent a potential but unlikely side-effect that affects versions...

PYSEC-2023-201

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/id/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version...

PYSEC-2023-198

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...

PYSEC-2023-200

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources such as tasks from that collaboration should be deleted. This is partly to manage data properly, but also to prevent a potential but unlikely side-effect that affects versions...

PYSEC-2023-198

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...

PYSEC-2023-201

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/id/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version...

CVE-2023-41882

Vantage6 vulnerability: The /api/collaboration/{id}/task endpoint incorrectly enforces access control prior to version 4.0.0 by only checking collaboration permission instead of task-permission. Affected product: vantage6 privacy-preserving federated learning infrastructure. Patch: version 4.0.0 ...

CVE-2023-41882 vantage6 Improper Access Control vulnerability

vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/id/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However, prior to version...

CVE-2023-41881 Deleting a collaboration should also delete linked resources

vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources such as tasks from that collaboration should be deleted. This is partly to manage data properly, but also to prevent a potential but unlikely side-effect that affects versions...

CVE-2023-41881

Vantage6 vulnerabilities: When a collaboration is deleted, linked resources (e.g., tasks) are not reliably deleted in versions prior to 4.0.0. This could allow authenticated users in a later-created collaboration to see results from the deleted collaboration in some cases. The issue is fixed in v...

CVE-2023-28635 Defining resource name as integer in vantage6 may give unintended access

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...

CVE-2023-28635

The CVE-2023-28635 issue affects vantage6 prior to version 4.0.0, where resources named with integers could bypass access controls and allow some users to run algorithms they’re not authorized to. The root cause is a mismatch between resource IDs and names, enabling attackers to exploit numeric i...

CVE-2023-28635 Defining resource name as integer in vantage6 may give unintended access

vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which users are allowed to...