CVE-2023-3587

Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions...

CVE-2023-3587 Inconsistent state in UI after boards permission change by system admin

Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions...

CVE-2023-3587 Inconsistent state in UI after boards permission change by system admin

Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state allowing any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions...

Incorrect Authorization

github.com/mattermost/mattermost-server is vulnerable to Incorrect Authorization. The vulnerability exists because the createUserAccessToken function of user.go fails to restrict a user with permission to edit other users and to create personal access tokens from elevating their privileges to the...

GHSA-7G2V-2FRM-RG94 Mattermost Incorrect Authorization vulnerability

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

Mattermost Incorrect Authorization vulnerability

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

Code injection

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

CVE-2023-2515 Privilege escalation to system admin via personal access tokens

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

CVE-2020-36065

Cross Site Request Forgery CSRF vulnerability in FlyCms 1.0 allows attackers to add arbitrary administrator accounts via system/admin/adminsave...

PT-2023-11799 · Flycms · Flycms

Name of the Vulnerable Software and Affected Versions: FlyCms version 1.0 Description: A Cross Site Request Forgery CSRF issue allows attackers to add arbitrary administrator accounts via the "system/admin/admin save" endpoint. This can be exploited by attackers to gain unauthorized access to the...

Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability

A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this...

CVE-2022-31007

eLabFTW prior to 4.3.0 contains a permission issue where an authenticated administrator within a team can grant themselves system administrator privileges or create a new system administrator account. The vulnerability stems from abuse of administrator permissions and is mitigated in version 4.3....

GHSA-9RR5-Q43R-CCV4 Mattermost Server does not prevent System Admin from arbitrary file creation

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files...

Mattermost Server does not prevent System Admin from arbitrary file creation

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files...

A NULL pointer dereference flaw was found in the btrfs_rm_device function in fs/btrfs/volumes.c in the Linux Kernel where triggering the bug requires ‘CAP_SYS_ADMIN’. This flaw allows a local attacker to crash the system or leak kernel internal information. The highest threat from this vulnerability is to system availability.

...

CVE-2020-15598

Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial...

The vulnerability of the System Admin component of the Oracle Communications Session Border Controller allows a perpetrator to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the System Admin component of the Oracle Communications Session Border Controller is related to insufficient validation of input data. Exploiting this vulnerability could allow an attacker, operating remotely, to compromise the confidentiality, integrity, and accessibility of...

CVE-2020-14580

CVE-2020-14580 affects Oracle Communications Session Border Controller (Oracle Communications Applications, component: System Admin) in versions 8.1.0, 8.2.0 and 8.3.0. The description indicates an easily exploitable vulnerability that allows a low-privilege attacker with network access via SSH t...

CVE-2016-11077

An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account...

Directory traversal

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal...