CVE-2021-24819

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as...

WordPress 插件安全漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress Page/Post Content Shortcode plugin in and prior versions is vulnerable to an authorization...

GHSA-XR38-W74Q-R8JV Permissions not properly checked in Invenio-Drafts-Resources

Impact Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and...

Permissions not properly checked in Invenio-Drafts-Resources

Impact Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and...

PYSEC-2021-836

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

PYSEC-2021-837

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

PYSEC-2021-838

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

PYSEC-2021-838

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

PYSEC-2021-836

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

CVE-2021-43781

CVE-2021-43781 concerns Invenio-Drafts-Resources. The issue: versions prior to 0.13.7 and 0.14.6 fail to enforce permissions when publishing a record, allowing an authenticated user to publish draft records belonging to others via REST API if the record ID is known and the draft passes validation...

CVE-2021-43781 Permissions not properly checked in Invenio-Drafts-Resources

Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default...

Invenio-Drafts-Resources 安全漏洞

Invenio-Drafts-Resources is a submission/deposit module for Invenio. It is used for research data management. A security vulnerability exists in Invenio-Drafts-Resources versions prior to 0.13.7 and 0.14.6, which stems from a failure to properly check permissions in the affected product. The...

CVE-2021-24635

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, ...

LY Corporation: Access to images and videos in drafts on LINE BLOG

On LINE BLOG, sequential ID is assigned to each image/video when uploaded, and the ID is converted to actual URL on preview/publish. Due to the bug in the attachment ownership verification process, it could be possible for an attacker to view unpublished images/videos in other users' drafts by...

LY Corporation: See drafts and post articles if the account owner hasn't set password (livedoor CMS plugin)

For new accounts that haven't set passwords yet, an attacker is able to see drafts or post articles as victims...

GHSA-QCG2-H349-VWM3 Cross-site Scripting in React Draft Wysiwyg

react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...

CVE-2020-26031

An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers who are authenticated but have insufficient permissions...

CVE-2020-26031

An issue was discovered in Zammad before 3.4.1. The global-search feature leaks Knowledge Base drafts to Knowledge Base readers who are authenticated but have insufficient permissions...

Zammad 安全漏洞

Zammad is a Web-based open source helpdesk/customer support system. An information disclosure vulnerability exists in Zammad versions prior to 3.4.1. The vulnerability can be exploited by an attacker to gain unauthorized access to a knowledge base draft via the global search function...

DRUPAL-CORE-2020-008

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass...