CVE-2024-39717

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. Tenant level users do not have this privilege. The “Change Favicon” Favorite Icon...

PT-2024-38785 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.8.x through 9.8.2 Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.9.x through 9.9.1 Mattermost versions 9.10.x through 9.10.0 Description: The issue arises from the failure to restrict which roles can promo...

CVE-2024-35224

OpenProject contains a Stored XSS in the Cost Report feature caused by misconfigured tablesorter. The vulnerability allows an attacker with Edit work packages and Add attachments permissions to store JavaScript via a ticket attachment, bypassing CSP and potentially escalating privileges to a Syst...

CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject

OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...

CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject

OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...

CVE-2024-3164

In dotCMS dashboard, the Tools and Log Files tabs under System → Maintenance Portlet, which is and always has been an Admin portlet, is accessible to anyone with that portlet and not just to CMS Admins. Users that get site admin but not a system admin, should not have access to the System...

BIT-MATTERMOST-2023-2515

Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their privileges to system admin...

BIT-MATTERMOST-2023-4478

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts...

CVE-2024-22699

FlyCms v1.0 contains a Cross-Site Request Forgery CSRF vulnerability via /system/admin/updategroupsave...

CVE-2024-22593

FlyCms v1.0 contains a Cross-Site Request Forgery CSRF vulnerability via /system/admin/addgroupsave...

Cross site request forgery (csrf)

FlyCms v1.0 contains a Cross-Site Request Forgery CSRF vulnerability via /system/admin/addgroupsave...

CVE-2023-4478

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts...

CVE-2023-4478

Mattermost is affected by CVE-2023-4478 due to improper handling of signup request parameters, allowing an attacker to register users as inactive and thereby block future access unless an admin activates the accounts. The issue stems from the system’s failure to restrict which request parameters ...

CVE-2023-4478 Parameter tampering in the registration resulting in blocked accounts to be created

Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts...

Incorrect Authorization

github.com/mattermost/mattermost-server is vulnerable to Incorrect Authorization. The vulnerability exists because the library does not properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first...

CVE-2023-4107

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name...

Code injection

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name...

CVE-2023-4107

Mattermost: Incorrect authorization allows a user manager to update a system admin’s details (email, first name, last name) due to inadequate permission checks. Affects Mattermost server implementations documented across Red Hat, EUVD/ENISA, VERACODE, OSV, GHSA and NVD entries. The issue is descr...

CVE-2023-4107 Incorrect authorization allows a user manager to update a system admin

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name...

PT-2023-26070 · Unknown · Online Nurse Hiring System

Name of the Vulnerable Software and Affected Versions: Online Nurse Hiring System version 1.0 Description: The issue is related to a cross-site scripting XSS vulnerability found in the Profile Page of the Admin section. This type of vulnerability allows attackers to inject malicious scripts into...