12 matches found
Mattermost has an Incorrect Authorization vulnerability
Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...
EUVD-2018-13154
Malware in sbrugna...
EUVD-2022-25063
Malicious code in bioql PyPI...
CVE-2023-23007
An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added...
ProjectID is disclosed and can be used for IDOR attack
I find that we click "Settings" button, we can see all the project, even the login user does not belong to the project. Using burpsuit to hijack the reqeust, we can obtain project ids. We can use projectid to perform IDOR attack. 1 create two projects: project1 and project2, and their admin is...
Sql injection
An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added...
CVE-2023-23007
An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added...
CVE-2022-1783
CVE-2022-1783 affects GitLab CE/EE across multiple streams: 14.3–14.9.5, 14.10–14.10.4, and 15.0–15.0.1. The issue allows malicious group maintainers to add new project members via the REST API even when a group owner disables such additions. Affected components are GitLab’s group/project members...
Plone unauthorized member addition vulnerability
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...
Cross-site Request Forgery (CSRF)
showdoc/showdoc is vulnerable to cross-site request forgery. The vulnerability exists through the register function in UserController.class.php, allowing an attacker to add any member to the team...
CVE-2015-7315
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...
CVE-2015-7315
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...