4 matches found
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure via the config function. An attacker can access sensitive server-wide secrets, such as LDAP bind passwords and SAML private keys, by uploading a malicious template and causing it to be rendered by another...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization through the TimesheetVoter::voteOnAttribute process. An attacker can access, modify, or delete timesheet records belonging to users outside their team by sending crafted API requests with sufficient privileges...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the cgetAction function in InvoiceController.php, which lacks proper customer-level access control. An attacker can access sensitive invoice data belonging to other teams by sending authenticated API requests...
Improper Neutralization of Special Elements Used in a Template Engine
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the export process. An attacker with export permissions can access sensitive information, including environment variables, user password hashes, serialized sessio...