CVE-2025-12756 Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users...

LinkedIn: Previous commentor on post can still comment even after comment permission is changed to disabled

A logic error existed in the comment permission system that allowed users who had previously commented on a post to continue posting additional comments even after the post owner disabled commenting functionality. The vulnerability occurred when an account created a post with comments enabled,...

Atlassian Jira 8.6.0 < 8.6.1 Comment Permissions Broken Access Control

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to version 7.13.12, 8.0.0 prior to 8.5.4 or 8.6.0 prior to 8.6.1. It is, therefore, affected by a vulnerability which permits remote attackers to make comments on a ticket to whi...

CVE-2022-42000

Cross-site Scripting XSS vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage...

CVE-2022-42000

Cross-site Scripting XSS vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage...

PT-2022-26205 · Unknown +1 · Bluespicesocialprofile +1

Name of the Vulnerable Software and Affected Versions: BlueSpice affected versions not specified Description: The issue allows a user with comment permissions to inject arbitrary HTML into the comment section of a wikipage, which can lead to Cross-site Scripting XSS. This occurs in the...

Jira Server Comment Permissions Broken Access Control Bug - CVE-2019-20106

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug...