Lucene search
K

13 matches found

Snyk
Snyk
added 2026/06/05 7:45 a.m.5 views

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers methods that serve the group members...

5.1CVSS5.4AI score0.00348EPSS
Exploits0References2
CVE
CVE
added 2026/01/02 3:42 p.m.10 views

CVE-2025-69284

CVE-2025-69284 affects the open-source project management tool Plane (plane.io). Before version 1.2.0, a guest user could access the API endpoint /api/workspaces/:slug/members/ and enumerate members of a workspace they joined. The response’s display_name is the email handler, allowing a malicious...

4.3CVSS6.4AI score0.00162EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/01/02 3:42 p.m.6 views

EUVD-2025-206228

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS6.2AI score0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/02 3:42 p.m.23 views

CVE-2025-69284 In plane.io, a Guest User to a Workspace can still be able to see list of members

Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https://app.plane.so/:slug/settings. Prior to Plane version 1.2.0, a problem occurs when the /api/workspaces/:slug/members/ is accessible by guest and able to list of users on a...

4.3CVSS0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/02 12:0 a.m.6 views

PT-2026-1101

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.0 Description Plane is an open-source project management tool. A guest user, lacking the necessary permissions, could access the /api/workspaces/:slug/members/ endpoint and list users within a workspace they have...

4.3CVSS6.6AI score0.00162EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/12/05 12:2 a.m.3 views

CVE-2025-14052 youlaitech youlai-mall members getMemberById access control

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out...

6.5CVSS6.4AI score0.00221EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/10/16 8:24 a.m.8 views

CVE-2025-10545 Guest user can add unauthorized team users to private channels

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...

3.1CVSS0.00306EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2025/07/04 2:43 p.m.3 views

SUSE CVE-2025-1792

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...

3.1CVSS6.8AI score0.00205EPSS
Exploits0References2
OSV
OSV
added 2025/05/30 3:15 p.m.3 views

CVE-2025-1792

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...

3.1CVSS6.7AI score
Exploits0References1
NVD
NVD
added 2025/05/30 3:15 p.m.21 views

CVE-2025-1792

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...

3.1CVSS0.00205EPSS
Exploits0References1
CVE
CVE
added 2025/05/30 2:22 p.m.59 views

CVE-2025-1792

CVE-2025-1792 affects Mattermost Server: 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x

3.1CVSS6.7AI score0.00205EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2025/05/30 2:22 p.m.23 views

CVE-2025-1792 Improper Access Control in Mattermost Channel Member API

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...

3.1CVSS0.00205EPSS
Exploits0References1
Veracode
Veracode
added 2022/12/01 10:41 a.m.20 views

Improper Access Control

ghost is vulnerable to improper access control. An unprivileged member has the ability to view and change unintended newsletter settings due to improper validation for nested objects in Memebers API...

4.3CVSS5AI score0.18914EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder