17 matches found
CVE-2026-33313
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...
CVE-2026-33313
CVE-2026-33313 / GHSA-MR3J-P26X-72X4 – Vikunja IDOR in Task Comments : An authenticated user who can read a task can read any comment by ID by substituting a task ID in the API URL (GET /api/v1/tasks/{taskID}/comments/{commentID}). Root cause: the system constructs a Task from the URL taskID and ...
PT-2026-26751
Name of the Vulnerable Software and Affected Versions Vikunja affected versions not specified Description An authenticated user can access task comments without proper authorization checks. Specifically, an attacker can read any task comment by ID, even if they do not have access to the associate...
CVE-2009-4520
The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path...
EUVD-2016-3090
Malware in sbrugna...
Linux Distros Unpatched Vulnerability : CVE-2024-25983
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available e.g....
CVE-2016-20002
The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy...
CVE-2005-4725
Geeklog before 1.3.11sr3 allows remote attackers to bypass intended access restrictions and comment on an arbitrary story or topic by guessing the story ID...
WordPress Download Plugin plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download vulnerability
Missing Authorization to Authenticated Subscriber+ User Metadata and Comment Download vulnerability discovered by WordFence in WordPress Plugin Download versions = 2.2.0...
CVE-2016-20002
The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy...
Design/Logic Flaw
The REST/JSON project 7.x-1.x for Drupal allows comment access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy...
CVE-2019-13004
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control issue 1 of 2...
GitLab has an unspecified vulnerability (CNVD-2019-42888)
GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in GitLab Community and...
DRUPAL-CORE-2018-001
This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list. Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926 Users with permission to post comments are able to view content and comments they do not have...
REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033
This module enables you to expose content, users and comments via a JSON API. The module contains multiple vulnerabilities including Node access bypass Comment access bypass User enumeration Field access bypass User registration bypass Blocked user login Session name guessing Session enumeration...
SA-CONTRIB-2014-010 - Services - Access Bypass and Privilege Escalation
The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. User update access bypass vulnerability An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an...
CVE-2013-2122
The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors...