19 matches found
Flowise 授权问题漏洞
Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise 3.0.12 and earlier contained an authorization vulnerability. This vulnerability stemmed from issues with the operations of the parameter userId/organizationId/workspaceId/emai...
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users guests to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth...
GHSA-6PCV-J4JX-M4VX Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users guests to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth...
CVE-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record
--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: " Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvssscore: "3.3" cvssvector:...
GHSA-HCVW-475W-8G7P Keycloak affected by improper invitation token validation
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...
Improper Verification of Cryptographic Signature
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the invitation tokens in the registration process. An...
PT-2026-7129
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak’s invitation token registration mechanism. The server does not verify the cryptographic signature of the JSON Web Token JWT. An attacker can modify the organization...
Chanjet CRM SQL注入漏洞
Chanjet CRM is a customer relationship management system from China's Chanjet. A SQL injection vulnerability exists in Chanjet CRM 20251121 and earlier versions, which stems from incorrect manipulation of the parameter gblOrgID in the file /tools/jxfdumptabledemo.php, which could lead to SQL...
CVE-2025-66385
UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges e.g., obtain a higher role such as admin via the user-edit endpoint by supplying or modifying roleid or organisationid fields in the edit request...
CVE-2025-64504 Langfuse vulnerable to cross‑organization enumeration of member & invitation lists via project membership APIs
Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on th...
CVE-2025-59686
Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id...
Vaultwarden 访问控制错误漏洞
Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust by Daniel García Personal Developer. Vaultwarden suffers from an access control error vulnerability that stems from the fact that an attacker can gain ownership of another organization by knowing the victim...
PT-2025-1891 · WordPress · Chative Live Chat/Chatbot Plugin
Name of the Vulnerable Software and Affected Versions: Chative Live chat and Chatbot plugin for WordPress versions up to, and including, 1.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the add chative widget action function. This...
PT-2024-18191 · Git +1 · Lunary +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue allows an attacker to join an organization without permission by knowing the organization's ID, granting them the ability to read and modify a...
Cerebrate 安全漏洞
Cerebrate is an open source platform. Designed to act as an interconnection coordinator between trusted contact information providers and other security tools. A security vulnerability exists in Cerebrate version 1.12 that stems from not properly considering the organizationid when creating API...
PT-2022-22326 · Tabit · Tabit
Name of the Vulnerable Software and Affected Versions: Tabit affected versions not specified Description: The issue concerns excessive data exposure through an API endpoint. Specifically, the endpoint for reservation cancellation contains the MongoDB ID of the reservation and organization, which...
CVE-2022-34775
Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/reservationId?organization=orgId API which return...
Grafana 访问控制错误漏洞
Grafana is a set of open source monitoring tools from Grafana Labs that provide a visual monitoring interface. The tool is primarily used to monitor and analyze Graphite, InfluxDB, and Prometheus, among others. A security vulnerability exists in Grafana Enterprise Logs versions 1.1.x through 1.3....
CVE-2018-1278
Apps Manager included in Pivotal Application Service, versions 1.12.x prior to 1.12.22, 2.0.x prior to 2.0.13, and 2.1.x prior to 2.1.4 contains an authorization enforcement vulnerability. A member of any org is able to create invitations to any org for which the org GUID can be discovered...