15 matches found
PYSEC-2026-21
Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...
CVE-2026-22639
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,...
CVE-2025-12739
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This...
CVE-2025-12739
CVE-2025-12739 involves a Cross-Site Scripting (XSS) vulnerability in Looker’s Extension Loader. An attacker with viewer permissions can craft a malicious URL that, when opened by a Looker administrator, could run attacker-supplied script. Exploitation requires at least one Looker extension insta...
PT-2025-47896
An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the DingDing alert integration. An attacker can access sensitive information by leveraging Viewer-level permissions to interact with the integration. Remediation Upgrade...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the DingDing alert integration. An attacker can access sensitive information by leveraging Viewer-level permissions to interact with the integration. Remediation Upgrade...
CVE-2025-3415
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01,...
CVE-2024-11741
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15...
CVE-2024-46907 WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user at least Report Viewer permissions required to achieve privilege escalation to the admin account...
XWiki Commons 代码注入漏洞
XWiki Commons is a technology library shared by several other top XWiki projects. A security vulnerability exists in XWiki Commons, which stems from the fact that any user with view permissions to normally accessible documents, including legacy notification activity macros, can execute arbitrary...
PT-2021-13875 · Moodle +1 · Moodle +1
Name of the Vulnerable Software and Affected Versions: moodle versions prior to 3.10.2 moodle versions prior to 3.9.5 moodle versions prior to 3.8.8 moodle versions prior to 3.5.17 Description: The web service responsible for fetching other users' enrolled courses did not validate that the...
CVE-2017-15138
An improper authorization flaw in the atomic-openshift component of Openshift Container Platform 3.7 and earlier allows a user with cluster-reader project viewer permissions to trigger an application build. An attacker could use this flaw to trigger a build of an application when that should be...
DEBIAN-CVE-2018-5158
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...
Mozilla: Malicious PDF can inject JavaScript into PDF Viewer
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...