CVE-2025-67282

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profi...

CVE-2025-67282

TIM BPM Suite/TIM FLOW (through version 9.1.2) contains multiple Authorization Bypass vulnerabilities that permit a low-privilege user to: download other users’ password hashes, access other users’ work items, modify restricted workflow content, alter the application logo, and manipulate other us...

CVE-2025-1007

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/namespace/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in...

CVE-2025-1007

CVE-2025-1007 affects OpenVSX, specifically versions v0.9.0 through v0.20.0. The vulnerability arises in the /user/namespace/{namespace}/details API (and the related /user/namespace/{namespace}/details/logo) where a non-owner/non-contributor user can edit all namespace details (name, description,...

HackerOne: User with privilege to maintain External Programs can update certain churned HackerOne programs

Summary: You wrote that some programs are behind, but you are trying to get them back sorry maybe bad translation Description: Apparently because of a system error, I have access to change information in the public program. This option is given only for external programs.But here is a public...

File upload vulnerability in SchoolCMS backend SiteController.class.php

SchoolCMS is a school teaching management system based on PHP+MySQL. A file upload vulnerability exists in the SchoolCMS backend SiteController.class.php, due to the system Upload function not effectively filtering user-submitted data. A remote attacker can arbitrarily write files to gain web...