2 matches found
CVE-2026-28685
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...
CVE-2025-24606
CVE-2025-24606: Missing Authorization in WordPress plugin Client Invoicing by Sprout Invoices (Sprout Invoices) — Broken Access Control allowing unauthorized access/privilege escalation in Client Invoicing by Sprout Invoices