28 matches found
CVE-2026-24906
October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the stylesheet input in the backend configuration forms. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML or JavaScript through the editor settings. This ca...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation of the serviceAccount path in the HashiCorp Vault authentication process. An attacker can access and exfiltrate arbitrary files from the node's filesystem by creating or modifying a...
Apple macOS Tahoe Insufficient Privilege Restriction Vulnerability
Apple macOS Tahoe is a desktop operating system released by Apple on June 10, 2025, using the LiquidGlass design language and integrating several AI and cross-device features. Apple macOS Tahoe suffers from a permission restriction insufficiency vulnerability that stems from a flaw in the system'...
EUVD-2020-1407
Malware in sbrugna...
DRUPAL-CONTRIB-2025-071
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...
CVE-2024-8071 System Role with edit access to permissions can elevate themselves to system admin
Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...
Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects
Impact What kind of vulnerability is it? Who is impacted? A user with permissions to view Dynamic Group records extras.viewdynamicgroup permission can use the Dynamic Group detail UI view /extras/dynamic-groups// and/or the members REST API view /api/extras/dynamic-groups//members/ to list the...
Command injection
NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...
CVE-2023-2459
Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. Chromium security severity: Medium...
PT-2022-25760 · Jenkins · Jenkins Worksoft Execution Manager Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Worksoft Execution Manager Plugin versions 10.0.3.503 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, capturin...
Design/Logic Flaw
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels...
CVE-2022-2408
Mattermost CVE-2022-2408 affects version 6.7.0 and earlier. The Guest account feature fails to properly restrict permissions, allowing a guest to fetch a list of all public channels in a team even if not a member of those channels. Root cause is a permission-check issue within the Guest feature. ...
PT-2022-18870 · Mediawiki +1 · Mediawiki +1
Name of the Vulnerable Software and Affected Versions: MediaWiki versions prior to 1.35.6 MediaWiki versions 1.36.x prior to 1.36.4 MediaWiki versions 1.37.x prior to 1.37.2 Description: An issue was discovered in MediaWiki where users with the editinterface permission can trigger infinite...
DayByDay CRM Information Disclosure Vulnerability
DayByDay CRM is an open source CRM Customer Relationship Management software, based on Laravel, that helps users keep track of clients, tasks, meetings and more. DayByDay CRM Information Disclosure Vulnerability, the vulnerability stems from the product's failure to add an effective restriction o...
DayByDay CRM Information Disclosure Vulnerability (CNVD-2022-68548)
DayByDay CRM is an open source CRM Customer Relationship Management software, based on Laravel, that helps users keep track of clients, tasks, meetings and more. DayByDay CRM Information Disclosure Vulnerability, the vulnerability stems from the product's failure to add an effective restriction o...
openGauss: Restricting the Permission for the ${GAUSSHOME}/share Directory
The $GAUSSHOME /share directory stores the shared components of openGauss. To prevent them from being tampered or damaged, the directory must be protected and deny unauthorized user access. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced source...
CVE-2017-18916
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction...
CVE-2017-18916
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction...
CVE-2020-11094
CVE-2020-11094 affects the October CMS debugbar plugin prior to v3.1.0. The issue is an information disclosure vulnerability where the plugin logs all requests, including session data, which could allow untrusted users to view sensitive information. Affected component is the debugbar feature that...