30 matches found
CVE-2026-6542 Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flowid to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow...
CVE-2026-31950
LibreChat exposes an IDOR in SSE stream subscriptions. In versions 0.8.2-rc2 through 0.8.2-rc3, the endpoint /api/agents/chat/stream/:streamId does not verify stream ownership, allowing any authenticated user who guesses or obtains a valid streamId to subscribe and read another user’s real-time c...
CVE-2023-40124
In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48608
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
EUVD-2025-201802
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48608
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48608
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48608
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48608
CVE-2025-48608 affects the Android SettingsProvider.java isValidMediaUri path, enabling cross-user media read due to a missing permission check. The issue permits local information disclosure without user interaction (ATT&CK: T1552-like, per the description), with CVSS 3.1 base score 5.5 (AV:L/AC...
PT-2025-49581
In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-21279
In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-21312
In IntentResolver, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2024-43090
In multiple locations, there is a possible cross-user image read due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation...
CVE-2024-43082
In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2022-43841
IBM Aspera Console 3.4.0 through 3.4.2 PL9 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 239078...
CVE-2023-40124
In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-40124
In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-40124
In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2023-40124
CVE-2023-40124 involves a local information disclosure (cross-user read) due to a confused deputy. Public docs from NVD/Red Hat/OSV describe impact as local, with no execution privileges required and no user interaction needed. Android security bulletin entries for 2023-11-01/05 group this under ...
CVE-2023-40124
In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for exploitation...