9 matches found
CVE-2026-56247
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...
CVE-2026-56247 Capgo - Privilege Escalation via Cross-Scope RBAC Role Assignment
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...
CVE-2026-56247
Capgo prior to version 12.128.2 contains a privilege-escalation flaw where org admins can assign org-scoped RBAC roles at the app scope without validating role-scope compatibility, including assignments to pending invitees . Attackers can pre-seed malformed high-privilege bindings that survive in...
CVE-2024-24817
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs private messages can be retrieved by anyone, even if they're not logg...
CVE-2024-24817
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs private messages can be retrieved by anyone, even if they're not logg...
CVE-2024-24817 User can see invitees in events created in PMs and private categories
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs private messages can be retrieved by anyone, even if they're not logg...
CVE-2024-24817
CVE-2024-24817 concerns the Discourse Calendar plugin. Prior to version 0.4, event invitees created in topics in private categories or private messages could be retrieved by anyone, even when not logged in. The issue is resolved in version 0.4 of the discourse-calendar plugin. Some partial mitiga...
CVE-2024-24817 User can see invitees in events created in PMs and private categories
Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs private messages can be retrieved by anyone, even if they're not logg...
PT-2024-20583 · Discourse · Discourse Calendar
Name of the Vulnerable Software and Affected Versions: Discourse Calendar versions prior to 0.4 Description: The issue allows event invitees created in private categories or private messages to be retrieved by anyone, even if they are not logged in. This is a problem with the Discourse Calendar...