15 matches found
EUVD-2025-37028
Kanova Android App version 1.0.27 package name com.karelane, developed by Karely L.L.C., contains improper access control vulnerabilities. Attackers may gain unauthorized access to user details and obtain group information, including entry codes, by manipulating API request parameters. Successful...
EUVD-2019-0425
Malware in sbrugna...
EUVD-2025-21385
Malicious code in bioql PyPI...
Information Disclosure
Indico is vulnerable to information disclosure. The vulnerability is due to an endpoint exposing user details such as name, affiliation, and email in bulk when listed in certain fields like ACLs, which allows an attacker to retrieve basic user information without proper authorization...
CVE-2025-3769
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'viewbookingsummaryinlightbox' due to missing validation on a user controlled key. This makes it possible...
Authorization Bypass Through User-Controlled Key
Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to insufficient capability checks in the web service. An attacker can access sensitive user details such as full names and profile images by...
CVE-2025-3640
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access...
PT-2024-11559 · Ovaledge · Ovaledge
Name of the Vulnerable Software and Affected Versions: OvalEdge versions 5.2.8.0 and earlier Description: The issue allows for Sensitive Data Exposure through a GET request to the "/user/getUserType" API endpoint, which does not require authentication. This exposes information related to the...
PT-2024-30168 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: The issue is related to an Incorrect Access Control vulnerability. This vulnerability affects the /music/view user.php and /music/controller.php API endpoints, specifically when the i...
Design/Logic Flaw
alf.io is an open source ticket reservation system. Prior to version 2.0-Mr-2402, organization owners can view the generated API KEY and USERS of other organization owners using the http://192.168.26.128:8080/admin/api/users/ endpoint, which exposes the details of the provided user ID. This may...
HCL Technologies DRYiCE MyXalytics Security Breach
HCL Technologies DRYiCE MyXalytics is a unified reporting and dashboard product from HCL Technologies, USA. A security vulnerability exists in HCL Technologies DRYiCE MyXalytics that stems from improper access control and allows users to obtain certain details about other users...
Critical Vulnerability in Open SSL
There are no details yet, but its really important that you patch Open SSL 3.x when the new version comes out on Tuesday. How bad is "Critical"? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. Its likely to be abused to disclose...
PT-2021-14356
Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3 Description: OneDev is an all-in-one devops platform. The REST UserResource endpoint performs a security check to ensure only administrators can list user details. However, the /users/id endpoint lacks security...
CVE-2019-16245
OMERO before 5.6.1 makes the details of each user available to all users...
jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page...