19 matches found
CVE-2026-54397 MISP event editing allows unauthorized assignment to undisclosed sharing groups
A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharinggroupid to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the...
BIT-KAFKA-2026-41115 Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMERGROUPDESCRIBE 69 API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This...
CVE-2026-41115 Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMERGROUPDESCRIBE 69 API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This...
PT-2026-45725
Name of the Vulnerable Software and Affected Versions Apache Kafka affected versions not specified Description An improper authorization issue exists in the 'CONSUMER GROUP DESCRIBE' 69 API. The implementation validates the DESCRIBE operation on the GROUP resource, which contradicts the READ...
Red Hat Ansible Automation Platform 安全漏洞
The Red Hat Ansible Automation Platform is a unified solution for strategic automation provided by Red Hat Inc. There is a security vulnerability in the Red Hat Ansible Automation Platform. This vulnerability stems from the /etc/passwd file being set with writeable group permissions during the...
CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...
CVE-2026-24420
phpMyFAQ vulnerability CVE-2026-24420 affects versions 4.0.16 and older, where an authenticated user lacking the dlattachment right can download attachments due to a flawed permissions check in attachment.php. The access decision incorrectly treats the mere presence of a permission key as authori...
EUVD-2020-7807
Malware in sbrugna...
EUVD-2019-19297
Malware in sbrugna...
CVE-2023-4658
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted t...
MGASA-2022-0210 Updated golang packages fix security vulnerability
The syscall.Faccessat function checks whether the calling process can access a file. Faccessat contains a bug where it checks a file’s group permission bits if the process’s user is a member of the process’s group rather than a member of the file’s group. CVE-2022-29526...
Authentication Bypass Using an Alternate Path or Channel
Steps to reproduce 1. 1. Log into Administrator account 2. 2. Navigate to User section 3. 3. Create a new User, call it testUser pass is 12345678 4. 4. Navigate to Groups section and create a new group, call it testGroup 5. 5. Give a "manage:group" permission for testGroup and assign testUser...
Piwigo SQL注入漏洞
Piwigo is a Web-based open source photo gallery software. The software includes features such as image management, image categorization and permission management. Piwigo admin/userperm.php has a SQL injection vulnerability that can be exploited by an attacker to inject it into admin.php via the...
CVE-2020-15825
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges...
CVE-2020-15825
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges...
CVE-2019-6601
In BIG-IP 13.0.0, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, the Application Acceleration Manager AAM wamd process used in processing of images and PDFs fails to drop group permissions when executing helper scripts...
USN-2516-1 linux vulnerabilities
A flaw was discovered in the Kernel Virtual Machine's KVM emulation of the SYSTENTER instruction when the guest OS does not initialize the SYSENTER MSRs. A guest OS user could exploit this flaw to cause a denial of service of the guest OS crash or potentially gain privileges on the guest OS...
Network Time Protocol Daemon (ntpd) < 4.2.1 -u Group Permission Weakness Privilege Escalation
According to its version number, the NTP Network Time Protocol server running on the remote host is affected by a flaw that causes it to run with the permissions of a privileged user if a group name rather than a group ID is specified on the command line. A local attacker, who has managed to...
Problem when signing up for new user Account from login page
I signed up for a new user account from the login page, filled in a username, password, name and e-mail. Then I tried to login with the new username and got this exception: java.lang.NullPointerException at com.opensymphony.module.user.User.getGroupsUser.java:94 at...