14 matches found
CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...
EUVD-2023-41770
Malicious code in bioql PyPI...
CVE-2023-37904
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the stable branch and version...
CVE-2024-5127 Improper Access Control in lunary-ai/lunary
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...
PT-2024-34584 · Lunary · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions 1.2.2 through 1.2.25 Description: The issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not...
CVE-2023-37904
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the stable branch and version...
Design/Logic Flaw
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the stable branch and version...
CVE-2023-37904 Discourse Race Condition in Accept Invite
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the stable branch and version...
PT-2023-26173 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.0.6 of the stable branch Discourse versions prior to 3.1.0.beta7 of the beta and tests-passed branches Description: Discourse is an open source discussion platform. The issue allows more users than permitted to b...
PT-2023-2090 · Apache · Apache Openmeetings
Name of the Vulnerable Software and Affected Versions: Apache OpenMeetings versions 2.0.0 through 6.x Description: The issue is related to a lack of authentication for a critical function in Apache OpenMeetings, allowing an attacker to elevate their privileges in any room. Specifically, the probl...
SUSE CVE-2022-23485
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result...
SUSE CVE-2022-39306
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non...
CVE-2022-23485
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result...
Email addresses and usernames can not be trusted
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non...