73 matches found
CVE-2025-52963
An Improper Access Control vulnerability in the User Interface UI of Juniper Networks Junos OS allows a local, low-privileged attacker to bring down an interface, leading to a Denial-of-Service. Users with "view" permissions can run a specific request interface command which allows the user to sh...
CVE-2022-39291
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request...
IBM i 安全漏洞
IBM i is a suite of operating systems from International Business Machines IBM running in IBM Power Systems and IBM PureSystems. A security vulnerability exists in IBM i versions 7.4 and 7.5 that stems from vulnerability to an authenticated user who has gained elevated privileges to a physical...
CVE-2024-53855
Centurion ERP prior to 1.3.1 allows an authenticated user with certain ticket-view permissions (view_ticket_change, view_ticket_incident, view_ticket_request, view_ticket_problem) to view tickets belonging to other organizations when using the API endpoints for tickets. The UI and Project Tasks a...
CVE-2024-53855 User can view tickets from organizations they're not apart of in centurion_erp
Centurion ERP Enterprise Rescource Planning is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management ITSM modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they...
PT-2024-22801
Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 1.6.16 Nautobot versions prior to 2.1.9 Description A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated users. These endpoints include "/api/graphql/",...
Incorrect Default Permissions
Overview com.liferay:com.liferay.journal.web is a Liferay Journal Web Affected versions of this package are vulnerable to Incorrect Default Permissions due to the default assignment of view permissions to guest users for web content templates via the UI or API. Remediation Upgrade...
CVE-2023-44401 Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data
The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number o...
CVE-2023-44401 View permissions are bypassed for paginated lists of ORM data in GraphQL queries
More info at https://www.silverstripe.org/download/security-releases/CVE-2023-44401...
Strapi may leak sensitive user information, user reset password, tokens via content-manager views
Summary I can get access to user reset password tokens if I have the configure view permissions Details /content-manager/relations route does not remove private fields or ensure that they can't be selected PoC Install fresh strapi instance start up strapi and create an account create a new...
Information Disclosure
gitlab is vulnerable to Information Disclosure. The vulnerability exists due to lack of view permissions of trigger tokens which allows an attacker to expose trigger tokens configured on that project...
Information Disclosure
gitlab is vulnerable to Information Disclosure. The vulnerability exists due to lack of view permissions on members which allows an attacker to gain access to the members of private groups...
PT-2023-32999 · Umami · Umami
Name of the Vulnerable Software and Affected Versions: Umami affected versions not specified Description: The issue allows anyone with a share link to reset website data. When a user navigates to a /share/ URL, they receive a share token used for authentication, which is later verified by useAuth...
SUSE CVE-2016-5012
In Moodle 3.x, glossary search displays entries without checking user permissions to view them...
DEBIAN-CVE-2022-39291
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request...
PT-2022-24874 · Unknown +2 · Zoneminder +2
Name of the Vulnerable Software and Affected Versions: ZoneMinder affected versions not specified Description: The issue allows users with "View" system permissions to inject new data into the logs stored by ZoneMinder through an HTTP POST request to the "/zm/index.php" endpoint. This could affec...
CVE-2022-39291 Denial of service through logs in zoneminder
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request...
PT-2022-13917 · Octopus Deploy +1 · Octopus Server +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns improper verification of permissions in the API for projects using Git version control. This flaw allows users with only ProjectView...
CVE-2021-22967
In Concrete CMS formerly concrete 5 below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit...
GHSA-HVMF-R92R-27HR Django allows unintended model editing
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...