CVE-2024-7049

Open-webui/open-webui is affected at version v0.3.8. The root issue is that a token is returned when a user with a pending role logs in, allowing actions without admin approval and bypassing the intended approval workflow. The CVE entry lists a moderate impact (CVSS ~5.4) with no explicit exploit...

[M-01] Easily bypassing admins 'pause' for swivel

Lines of code Vulnerability details Impact Assuming admin decides to pause an external principle when it's dangerous, malicious or unprofitable, Bypassing the admins decision can result in loss of funds for the project. Proof of Concept The principals enum p is only used for unpausedp modifier, a...

Lark Technologies: [AWC-Pune] - User can download files deleted by Admin using shortcuts

A vulnerability was found in where a Lark user could bypass Admin restrictions on deleted files, which typically would block users of the file from downloading or using it. However, the user could add a shortcut of the file to a folder, and upon downloading that folder could access the file...