13 matches found
CVE-2025-2242
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...
CVE-2025-2242
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...
CVE-2025-2242
Removed by vendor...
CVE-2025-2242
CVE-2025-2242 describes an improper access-control vulnerability in GitLab CE/EE that lets a former instance admin, downgraded to a regular user, retain elevated privileges to groups and projects across GitLab versions 17.4 through 17.8.6, 17.9 through 17.9.3, and 17.10 through 17.10.1. The provi...
CVE-2025-2242 Incorrect Authorization in GitLab
An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...
CVE-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...
Any authenticated user may obtain private message details from other users on the same instance
Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to loudly obtain all private messages of an...
GHSA-R64R-5H43-26QV Any authenticated user may obtain private message details from other users on the same instance
Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to loudly obtain all private messages of an...
CVE-2024-23649
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
CVE-2024-23649 Any authenticated user may obtain private message details from other users on the same instance
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
Liferay Portal和Liferay DXP 安全漏洞
Liferay Portal and Liferay DXP are both products of Liferay Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP ...
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flocustomtableprefix cookie to an arbitrary value. On any website where flo-launch is active create cookie "flocustomtableprefix" with any string value to...
Stronger algorithm used to digest instance admin password
Let's use PKCS5S2...